Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:

setuid() mac_check_proc

Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:

setuid() mac_check_proc_setuid()
seteuid() mac_check_proc_seteuid()
setgid() mac_check_proc_setgid()
setegid() mac_check_proc_setegid()
setgroups() mac_check_proc_setgroups()
setreuid() mac_check_proc_setreuid()
setregid() mac_check_proc_setregid()
setresuid() mac_check_proc_setresuid()
setresgid() mac_check_rpoc_setresgid()

MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points. The mac_test and mac_stub policies are updated.

Submitted by: Samy Al Bahra <samy@kerneled.org>
Obtained from: TrustedBSD Project

show more ...

Move MAC check_vnode_mmap entry point out from being exclusive to
MAP_SHARED so that the entry point gets executed un-conditionally.
This may be useful for security policies which want to perform acc

Move MAC check_vnode_mmap entry point out from being exclusive to
MAP_SHARED so that the entry point gets executed un-conditionally.
This may be useful for security policies which want to perform access
control checks around run-time linking.

-add the mmap(2) flags argument to the check_vnode_mmap entry point
so that we can make access control decisions based on the type of
mapped object.
-update any dependent API around this parameter addition such as
function prototype modifications, entry point parameter additions
and the inclusion of sys/mman.h header file.
-Change the MLS, BIBA and LOMAC security policies so that subject
domination routines are not executed unless the type of mapping is
shared. This is done to maintain compatibility between the old
vm_mmap_vnode(9) and these policies.

Reviewed by: rwatson
MFC after: 1 month

show more ...

Define new MAC framework and policy entry points for System V IPC
objects and operations:

- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create

Define new MAC framework and policy entry points for System V IPC
objects and operations:

- System V IPC message, message queue, semaphore, and shared memory
segment init, destroy, cleanup, create operations.

- System V IPC message, message queue, seamphore, and shared memory
segment access control entry points, including rights to attach,
destroy, and manipulate these IPC objects.

Submitted by: Dandekar Hrishikesh <rishi_dandekar at sbcglobal dot net>
Obtained from: TrustedBSD Project
Sponsored by: DARPA, SPAWAR, McAfee Research

show more ...

Do the dreaded s/dev_t/struct cdev */
Bump __FreeBSD_version accordingly.

Improve consistency of include file guards in src/sys/sys by terminating
them with '_', as well as beginning with '_'.

Observed by: bde

Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_AN

Reimplement sysctls handling by MAC framework.
Now I believe it is done in the right way.

Removed some XXMAC cases, we now assume 'high' integrity level for all
sysctls, except those with CTLFLAG_ANYBODY flag set. No more magic.

Reviewed by: rwatson
Approved by: rwatson, scottl (mentor)
Tested with: LINT (compilation), mac_biba(4) (functionality)

show more ...

Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
line

Update my personal copyrights and NETA copyrights in the kernel
to use the "year1-year3" format, as opposed to "year1, year2, year3".
This seems to make lawyers more happy, but also prevents the
lines from getting excessively long as the years start to add up.

Suggested by: imp

show more ...

Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.

- Create a new "struct pipepair" object holding the two 'str

Coalesce pipe allocations and frees. Previously, the pipe code
would allocate two 'struct pipe's from the pipe zone, and malloc a
mutex.

- Create a new "struct pipepair" object holding the two 'struct
pipe' instances, struct mutex, and struct label reference. Pipe
structures now have a back-pointer to the pipe pair, and a
'pipe_present' flag to indicate whether the half has been
closed.

- Perform mutex init/destroy in zone init/destroy, avoiding
reallocating the mutex for each pipe. Perform most pipe structure
setup in zone constructor.

- VM memory mappings for pageable buffers are still done outside of
the UMA zone.

- Change MAC API to speak 'struct pipepair' instead of 'struct pipe',
update many policies. MAC labels are also handled outside of the
UMA zone for now. Label-only policy modules don't have to be
recompiled, but if a module is recompiled, its pipe entry points
will need to be updated. If a module actually reached into the
pipe structures (unlikely), that would also need to be modified.

These changes substantially simplify failure handling in the pipe
code as there are many fewer possible failure modes.

On half-close, pipes no longer free the 'struct pipe' for the closed
half until a full-close takes place. However, VM mapped buffers
are still released on half-close.

Some code refactoring is now possible to clean up some of the back
references, etc; this patch attempts not to change the structure
of most of the pipe implementation, only allocation/free code
paths, so as to avoid introducing bugs (hopefully).

This cuts about 8%-9% off the cost of sequential pipe allocation
and free in system call tests on UP and SMP in my micro-benchmarks.
May or may not make a difference in macro-benchmarks, but doing
less work is good.

Reviewed by: juli, tjr
Testing help: dwhite, fenestro, scottl, et al

show more ...

Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label. This avoids reaching up to
the socket layer during connection close, which requires locking
chan

Switch TCP over to using the inpcb label when responding in timed
wait, rather than the socket label. This avoids reaching up to
the socket layer during connection close, which requires locking
changes. To do this, introduce MAC Framework entry point
mac_create_mbuf_from_inpcb(), which is called from tcp_twrespond()
instead of calling mac_create_mbuf_from_socket() or
mac_create_mbuf_netlayer(). Introduce MAC Policy entry point
mpo_create_mbuf_from_inpcb(), and implementations for various
policies, which generally just copy label data from the inpcb to
the mbuf. Assert the inpcb lock in the entry point since we
require consistency for the inpcb label reference.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label(). This is more consistent with similar entry
points fo

Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),
and the mpo_create_cred() MAC policy entry point to
mpo_copy_cred_label(). This is more consistent with similar entry
points for creation and label copying, as mac_create_cred() was
called from crdup() as opposed to during process creation. For
a number of policies, this removes the requirement for special
handling when copying credential labels, and improves consistency.

Approved by: re (scottl)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
net

Introduce a MAC label reference in 'struct inpcb', which caches
the MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols. This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks. Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by: sam, bms
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL. This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the

Implement mac_get_peer(3) using getsockopt() with SOL_SOCKET and
SO_PEERLABEL. This provides an interface to query the label of a
socket peer without embedding implementation details of mac_t in
the application. Previously, sizeof(*mac_t) had to be specified
by an application when performing getsockopt().

Document mac_get_peer(3), and expand documentation of the other
mac_get(3) functions. Note that it's possible to get EINVAL back
from mac_get_fd(3) when pointing it at an inappropriate object.

NOTE: mac_get_fd() and mac_set_fd() support for sockets will
follow shortly, so the documentation is slightly ahead of the
code.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Reduce gratuitous redundancy and length in function names:

mac_setsockopt_label_set() -> mac_setsockopt_label()
mac_getsockopt_label_get() -> mac_getsockopt_label()
mac_getsockopt_peerlabel_ge

Reduce gratuitous redundancy and length in function names:

mac_setsockopt_label_set() -> mac_setsockopt_label()
mac_getsockopt_label_get() -> mac_getsockopt_label()
mac_getsockopt_peerlabel_get() -> mac_getsockopt_peerlabel()

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

GC prototype for mac_destroy_vnode_label(), missed in last commit.

Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated

Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Use __BEGIN_DECLS and __END_DECLS around userland function prototypes
so that mac.h may be more safely included in userland C++ applications.

PR: bin/56595
Submitted by: "KONDOU, Kazuhiro" <kazuhir

Use __BEGIN_DECLS and __END_DECLS around userland function prototypes
so that mac.h may be more safely included in userland C++ applications.

PR: bin/56595
Submitted by: "KONDOU, Kazuhiro" <kazuhiro@alib.jp>

show more ...

Remove extra tabs indenting MAC library calls; they were there to
line up the function names in an earlier generation of the API when
some of the functions returned structure pointers.

Obtained from

Remove extra tabs indenting MAC library calls; they were there to
line up the function names in an earlier generation of the API when
some of the functions returned structure pointers.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Make the elements argument to mac_prepare() be const.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Add prototype for new libc function mac_prepare_type().

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Introduce two new MAC Framework and MAC policy entry points:

mac_reflect_mbuf_icmp()
mac_reflect_mbuf_tcp()

These entry points permit MAC policies to do "update in place"
changes to the labels

Introduce two new MAC Framework and MAC policy entry points:

mac_reflect_mbuf_icmp()
mac_reflect_mbuf_tcp()

These entry points permit MAC policies to do "update in place"
changes to the labels on ICMP and TCP mbuf headers when an ICMP or
TCP response is generated to a packet outside of the context of
an existing socket. For example, in respond to a ping or a RST
packet to a SYN on a closed port.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():
explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the sete

Add mac_check_vnode_deleteextattr() and mac_check_vnode_listextattr():
explicit access control checks to delete and list extended attributes
on a vnode, rather than implicitly combining with the setextattr and
getextattr checks. This reflects EA API changes in the kernel made
recently, including the move to explicit VOP's for both of these
operations.

Obtained from: TrustedBSD PRoject
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Update NAI copyright to 2003, missed in earlier commits and merges.

Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To d

Move MAC label storage for mbufs into m_tags from the m_pkthdr structure,
returning some additional room in the first mbuf in a chain, and
avoiding feature-specific contents in the mbuf header. To do this:

- Modify mbuf_to_label() to extract the tag, returning NULL if not
found.

- Introduce mac_init_mbuf_tag() which does most of the work
mac_init_mbuf() used to do, except on an m_tag rather than an
mbuf.

- Scale back mac_init_mbuf() to perform m_tag allocation and invoke
mac_init_mbuf_tag().

- Replace mac_destroy_mbuf() with mac_destroy_mbuf_tag(), since
m_tag's are now GC'd deep in the m_tag/mbuf code rather than
at a higher level when mbufs are directly free()'d.

- Add mac_copy_mbuf_tag() to support m_copy_pkthdr() and related
notions.

- Generally change all references to mbuf labels so that they use
mbuf_to_label() rather than &mbuf->m_pkthdr.label. This
required no changes in the MAC policies (yay!).

- Tweak mbuf release routines to not call mac_destroy_mbuf(),
tag destruction takes care of it for us now.

- Remove MAC magic from m_copy_pkthdr() and m_move_pkthdr() --
the existing m_tag support does all this for us. Note that
we can no longer just zero the m_tag list on the target mbuf,
rather, we have to delete the chain because m_tag's will
already be hung off freshly allocated mbuf's.

- Tweak m_tag copying routines so that if we're copying a MAC
m_tag, we don't do a binary copy, rather, we initialize the
new storage and do a deep copy of the label.

- Remove use of MAC_FLAG_INITIALIZED in a few bizarre places
having to do with mbuf header copies previously.

- When an mbuf is copied in ip_input(), we no longer need to
explicitly copy the label because it will get handled by the
m_tag code now.

- No longer any weird handling of MAC labels in if_loop.c during
header copies.

- Add MPC_LOADTIME_FLAG_LABELMBUFS flag to Biba, MLS, mac_test.
In mac_test, handle the label==NULL case, since it can be
dynamically loaded.

In order to improve performance with this change, introduce the notion
of "lazy MAC label allocation" -- only allocate m_tag storage for MAC
labels if we're running with a policy that uses MAC labels on mbufs.
Policies declare this intent by setting the MPC_LOADTIME_FLAG_LABELMBUFS
flag in their load-time flags field during declaration. Note: this
opens up the possibility of post-boot policy modules getting back NULL
slot entries even though they have policy invariants of non-NULL slot
entries, as the policy might have been loaded after the mbuf was
allocated, leaving the mbuf without label storage. Policies that cannot
handle this case must be declared as NOTLATE, or must be modified.

- mac_labelmbufs holds the current cumulative status as to whether
any policies require mbuf labeling or not. This is updated whenever
the active policy set changes by the function mac_policy_updateflags().
The function iterates the list and checks whether any have the
flag set. Write access to this variable is protected by the policy
list; read access is currently not protected for performance reasons.
This might change if it causes problems.

- Add MAC_POLICY_LIST_ASSERT_EXCLUSIVE() to permit the flags update
function to assert appropriate locks.

- This makes allocation in mac_init_mbuf() conditional on the flag.

Reviewed by: sam
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking

Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking is not OK when labeling a new IP fragment reassembly
queue. This should eliminate some of the WITNESS warnings that
have started popping up since fine-grained IP stack locking
started going in; if memory allocation fails, the creation of
the fragment queue will be aborted.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE,
which are no longer required now that we have UFS2 with extended
attribute transactions.

Obtained from: TrustedBSD Project

Garbage collect FREEBSD_MAC_EXTATTR_NAME and FREEBSD_MAC_EXTATTR_NAMESPACE,
which are no longer required now that we have UFS2 with extended
attribute transactions.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...