New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label. Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges). This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones. For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials. Delaying setting credentials
could be done, e.g., by having some mode where the standard system calls
contribute to building new credentials but without committing them. It
could be started and ended by a special system call. Delaying checking
could mean that, e.g., the kernel only verifies the credentials
transition at the next non-credential-setting system call (we just
mention this possibility for completeness, but are certainly not
endorsing it).

We chose the simpler approach of a new system call, as we don't expect
the set of credentials one can set to change often. It has the
advantages that the traditional system calls' code doesn't have to be
changed and that we can establish a special MAC protocol for it, by
having some cleanup function called just before returning (this is
a requirement for MAC/do), without disturbing the existing ones.

The mac_cred_check_setcred() hook is passed the flags received by
setcred() (including the version) and both the old and new kernel's
'struct ucred' instead of 'struct setcred' as this should simplify
evolving existing hooks as the 'struct setcred' structure evolves. The
mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always
called by pairs around potential calls to mac_cred_check_setcred().
They allow MAC modules to allocate/free data they may need in their
mac_cred_check_setcred() hook, as the latter is called under the current
process' lock, rendering sleepable allocations impossible. MAC/do is
going to leverage these in a subsequent commit. A scheme where
mac_cred_check_setcred() could return ERESTART was considered but is
incompatible with proper composition of MAC modules.

While here, add missing includes and declarations for standalone
inclusion of <sys/ucred.h> both from kernel and userspace (for the
latter, it has been working thanks to <bsm/audit.h> already including
<sys/types.h>).

Reviewed by: brooks
Approved by: markj (mentor)
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47618

show more ...

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

sys/security: minor spelling fixes.

No functional change.

Merge head

IFC @264767

Merge head up to r262222 (last merge was incomplete).

MFC @ r259205 in preparation for some SVM updates. (for real this time)

- For kernel compiled only with KDTRACE_HOOKS and not any lock debugging
option, unbreak the lock tracing release semantic by embedding
calls to LOCKSTAT_PROFILE_RELEASE_LOCK() direclty in the in

- For kernel compiled only with KDTRACE_HOOKS and not any lock debugging
option, unbreak the lock tracing release semantic by embedding
calls to LOCKSTAT_PROFILE_RELEASE_LOCK() direclty in the inlined
version of the releasing functions for mutex, rwlock and sxlock.
Failing to do so skips the lockstat_probe_func invokation for
unlocking.
- As part of the LOCKSTAT support is inlined in mutex operation, for
kernel compiled without lock debugging options, potentially every
consumer must be compiled including opt_kdtrace.h.
Fix this by moving KDTRACE_HOOKS into opt_global.h and remove the
dependency by opt_kdtrace.h for all files, as now only KDTRACE_FRAMES
is linked there and it is only used as a compile-time stub [0].

[0] immediately shows some new bug as DTRACE-derived support for debug
in sfxge is broken and it was never really tested. As it was not
including correctly opt_kdtrace.h before it was never enabled so it
was kept broken for a while. Fix this by using a protection stub,
leaving sfxge driver authors the responsibility for fixing it
appropriately [1].

Sponsored by: EMC / Isilon storage division
Discussed with: rstone
[0] Reported by: rstone
[1] Discussed with: philip

show more ...

Merge from head

Merge from HEAD

Rename MAC Framework-internal macros used to invoke policy entry points:

MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK

Rename MAC Framework-internal macros used to invoke policy entry points:

MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK -> MAC_POLICY_CHECK
MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP
MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE
MAC_GRANT -> MAC_POLICY_GRANT
MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP
MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE
MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK
MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP

This frees up those macro names for use in wrapping calls into the MAC
Framework from the remainder of the kernel.

Obtained from: TrustedBSD Project

show more ...

- Merge from HEAD

Rework MAC Framework synchronization in a number of ways in order to
improve performance:

- Eliminate custom reference count and condition variable to monitor
threads entering the framework, as th

Rework MAC Framework synchronization in a number of ways in order to
improve performance:

- Eliminate custom reference count and condition variable to monitor
threads entering the framework, as this had both significant overhead
and behaved badly in the face of contention.

- Replace reference count with two locks: an rwlock and an sx lock,
which will be read-acquired by threads entering the framework
depending on whether a give policy entry point is permitted to sleep
or not.

- Replace previous mutex locking of the reference count for exclusive
access with write acquiring of both the policy list sx and rw locks,
which occurs only when policies are attached or detached.

- Do a lockless read of the dynamic policy list head before acquiring
any locks in order to reduce overhead when no dynamic policies are
loaded; this a race we can afford to lose.

- For every policy entry point invocation, decide whether sleeping is
permitted, and if not, use a _NOSLEEP() variant of the composition
macros, which will use the rwlock instead of the sxlock. In some
cases, we decide which to use based on allocation flags passed to the
MAC Framework entry point.

As with the move to rwlocks/rmlocks in pfil, this may trigger witness
warnings, but these should (generally) be false positives as all
acquisition of the locks is for read with two very narrow exceptions
for policy load/unload, and those code blocks should never acquire
other locks.

Sponsored by: Google, Inc.
Obtained from: TrustedBSD Project
Discussed with: csjp (idea, not specific patch)

show more ...

Update the projects tree to a newer FreeBSD current.

Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entr

Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.

mac_proc_check_setaudit -> mac_cred_check_setaudit
mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
mac_proc_check_setauid -> mac_cred_check_setauid
mac_proc_check_setegid -> mac_cred_check_setegid
mac_proc_check_seteuid -> mac_cred_check_seteuid
mac_proc_check_setgid -> mac_cred_check_setgid
mac_proc_check_setgroups -> mac_cred_ceck_setgroups
mac_proc_check_setregid -> mac_cred_check_setregid
mac_proc_check_setresgid -> mac_cred_check_setresgid
mac_proc_check_setresuid -> mac_cred_check_setresuid
mac_proc_check_setreuid -> mac_cred_check_setreuid
mac_proc_check_setuid -> mac_cred_check_setuid

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

show more ...

Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework fol

Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework following
policy invocation.

Successful access control checks will be reported by:

mac_framework:kernel:<entrypoint>:mac_check_ok

Failed access control checks will be reported by:

mac_framework:kernel:<entrypoint>:mac_check_err

Successful privilege grants will be reported by:

mac_framework:kernel:priv_grant:mac_grant_ok

Failed privilege grants will be reported by:

mac_framework:kernel:priv_grant:mac_grant_err

In all cases, the return value (always 0 for _ok, otherwise an errno
for _err) will be reported via arg0 on the probe, and subsequent
arguments will hold entrypoint-specific data, in a style similar to
privilege tracing.

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

show more ...

integrate from head@185615

Break out strictly credential-related portions of mac_process.c into a
new file, mac_cred.c.

Obtained from: TrustedBSD Project

Merge from HEAD

Rename MAC Framework-internal macros used to invoke policy entry points:

MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK

Rename MAC Framework-internal macros used to invoke policy entry points:

MAC_BOOLEAN -> MAC_POLICY_BOOLEAN
MAC_BOOLEAN_NOSLEEP -> MAC_POLICY_BOOLEANN_NOSLEEP
MAC_CHECK -> MAC_POLICY_CHECK
MAC_CHECK_NOSLEEP -> MAC_POLICY_CHECK_NOSLEEP
MAC_EXTERNALIZE -> MAC_POLICY_EXTERNALIZE
MAC_GRANT -> MAC_POLICY_GRANT
MAC_GRANT_NOSLEEP -> MAC_POLICY_GRANT_NOSLEEP
MAC_INTERNALIZE -> MAC_POLICY_INTERNALIZE
MAC_PERFORM -> MAC_POLICY_PERFORM_CHECK
MAC_PERFORM_NOSLEEP -> MAC_POLICY_PERFORM_NOSLEEP

This frees up those macro names for use in wrapping calls into the MAC
Framework from the remainder of the kernel.

Obtained from: TrustedBSD Project

show more ...

- Merge from HEAD

Rework MAC Framework synchronization in a number of ways in order to
improve performance:

- Eliminate custom reference count and condition variable to monitor
threads entering the framework, as th

Rework MAC Framework synchronization in a number of ways in order to
improve performance:

- Eliminate custom reference count and condition variable to monitor
threads entering the framework, as this had both significant overhead
and behaved badly in the face of contention.

- Replace reference count with two locks: an rwlock and an sx lock,
which will be read-acquired by threads entering the framework
depending on whether a give policy entry point is permitted to sleep
or not.

- Replace previous mutex locking of the reference count for exclusive
access with write acquiring of both the policy list sx and rw locks,
which occurs only when policies are attached or detached.

- Do a lockless read of the dynamic policy list head before acquiring
any locks in order to reduce overhead when no dynamic policies are
loaded; this a race we can afford to lose.

- For every policy entry point invocation, decide whether sleeping is
permitted, and if not, use a _NOSLEEP() variant of the composition
macros, which will use the rwlock instead of the sxlock. In some
cases, we decide which to use based on allocation flags passed to the
MAC Framework entry point.

As with the move to rwlocks/rmlocks in pfil, this may trigger witness
warnings, but these should (generally) be false positives as all
acquisition of the locks is for read with two very narrow exceptions
for policy load/unload, and those code blocks should never acquire
other locks.

Sponsored by: Google, Inc.
Obtained from: TrustedBSD Project
Discussed with: csjp (idea, not specific patch)

show more ...

Update the projects tree to a newer FreeBSD current.

Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entr

Improve the consistency of MAC Framework and MAC policy entry point
naming by renaming certain "proc" entry points to "cred" entry points,
reflecting their manipulation of credentials. For some entry points,
the process was passed into the framework but not into policies; in
these cases, stop passing in the process since we don't need it.

mac_proc_check_setaudit -> mac_cred_check_setaudit
mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr
mac_proc_check_setauid -> mac_cred_check_setauid
mac_proc_check_setegid -> mac_cred_check_setegid
mac_proc_check_seteuid -> mac_cred_check_seteuid
mac_proc_check_setgid -> mac_cred_check_setgid
mac_proc_check_setgroups -> mac_cred_ceck_setgroups
mac_proc_check_setregid -> mac_cred_check_setregid
mac_proc_check_setresgid -> mac_cred_check_setresgid
mac_proc_check_setresuid -> mac_cred_check_setresuid
mac_proc_check_setreuid -> mac_cred_check_setreuid
mac_proc_check_setuid -> mac_cred_check_setuid

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

show more ...

Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework fol

Add static DTrace probes for MAC Framework access control checks and
privilege grants so that dtrace can be more easily used to monitor
the security decisions being generated by the MAC Framework following
policy invocation.

Successful access control checks will be reported by:

mac_framework:kernel:<entrypoint>:mac_check_ok

Failed access control checks will be reported by:

mac_framework:kernel:<entrypoint>:mac_check_err

Successful privilege grants will be reported by:

mac_framework:kernel:priv_grant:mac_grant_ok

Failed privilege grants will be reported by:

mac_framework:kernel:priv_grant:mac_grant_err

In all cases, the return value (always 0 for _ok, otherwise an errno
for _err) will be reported via arg0 on the probe, and subsequent
arguments will hold entrypoint-specific data, in a style similar to
privilege tracing.

Obtained from: TrustedBSD Project
Sponsored by: Google, Inc.

show more ...