#
dc858fca |
| 04-Nov-2002 |
Robert Watson <rwatson@FreeBSD.org> |
License and wording updates: NAI has authorized the removal of clause three from their BSD-style license. Also, s/NAI Labs/Network Associates Laboratories/.
|
#
5c8dd342 |
| 30-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Move to C99 sparse structure initialization for the mac_policy_ops structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two r
Move to C99 sparse structure initialization for the mac_policy_ops structure definition, rather than using an operation vector we translate into the structure. Originally, we used a vector for two reasons:
(1) We wanted to define the structure sparsely, which wasn't supported by the C compiler for structures. For a policy with five entry points, you don't want to have to stick in a few hundred NULL function pointers.
(2) We thought it would improve ABI compatibility allowing modules to work with kernels that had a superset of the entry points defined in the module, even if the kernel had changed its entry point set.
Both of these no longer apply:
(1) C99 gives us a way to sparsely define a static structure.
(2) The ABI problems existed anyway, due to enumeration numbers, argument changes, and semantic mismatches. Since the going rule for FreeBSD is that you really need your modules to pretty closely match your kernel, it's not worth the complexity.
This submit eliminates the operation vector, dynamic allocation of the operation structure, copying of the vector to the structure, and redoes the vectors in each policy to direct structure definitions. One enourmous benefit of this change is that we now get decent type checking on policy entry point implementation arguments.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
show more ...
|
#
1979061b |
| 30-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Various minor type, prototype tweaks -- clean up cruft due to lack of type checking on entry points (to be introduced shortly).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associa
Various minor type, prototype tweaks -- clean up cruft due to lack of type checking on entry points (to be introduced shortly).
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
show more ...
|
#
b914de36 |
| 30-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for th
While 'mode_t' seemed like a good idea for the access mode argument for MAC access() and open() checks, the argument actually has an int type where it becomes available. Switch to using 'int' for the mode argument throughout the MAC Framework and policy modules.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
show more ...
|
Revision tags: release/4.7.0_cvs |
|
#
c27b50f5 |
| 05-Oct-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Merge implementation of mpo_check_vnode_link() for various appropriate file-system aware MAC policies. Sync to MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates La
Merge implementation of mpo_check_vnode_link() for various appropriate file-system aware MAC policies. Sync to MAC tree.
Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
show more ...
|
#
177142e4 |
| 19-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise,
Pass active_cred and file_cred into the MAC framework explicitly for mac_check_vnode_{poll,read,stat,write}(). Pass in fp->f_cred when calling these checks with a struct file available. Otherwise, pass NOCRED. All currently MAC policies use active_cred, but could now offer the cached credential semantic used for the base system security model.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
show more ...
|
Revision tags: release/4.6.2_cvs, release/4.6.2 |
|
#
d8a7b7a3 |
| 31-Jul-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce support for Mandatory Access Control and extensible kernel access control.
Provide implementations of some sample operating system security policy extensions. These are not yet hooked up
Introduce support for Mandatory Access Control and extensible kernel access control.
Provide implementations of some sample operating system security policy extensions. These are not yet hooked up to the build as other infrastructure is still being committed. Most of these work fairly well and are in daily use in our development and (limited) production environments. Some are not yet in their final form, and a number of the labeled policies waste a lot of kernel memory and will be fixed over the next month or so to be more conservative. They do give good examples of the flexibility of the MAC framework for implementing a variety of security policies.
mac_biba: Implementation of fixed-label Biba integrity policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned integrity levels, and information flow is controlled based on a read-up, write-down policy. Currently, purely hierarchal.
mac_bsdextended: Implementation of a "file system firewall", which allows the administrator to specify a series of rules limiting access by users and groups to objects owned by other users and groups. This policy is unlabeled, relying on existing system security labeling (file permissions/ownership, process credentials).
mac_ifoff: Secure interface silencing. Special-purpose module to limit inappropriate out-going network traffic for silent monitoring scenarios. Prevents the various network stacks from generating any output despite an interface being live for reception.
mac_mls: Implementation of fixed-label Multi-Level Security confidentiality policy, similar to those found in a number of commercial trusted operating systems. All subjects and objects are assigned confidentiality levels, and information flow is controlled based on a write-up, read-down policy. Currently, purely hiearchal, although non-hierarchal support is in the works.
mac_none: Policy module implementing all MAC policy entry points with empty stubs. A good place to start if you want all the prototypes types in for you, and don't mind a bit of pruning. Can be loaded, but has no access control impact. Useful also for performance measurements.
mac_seeotheruids: Policy module implementing a security service similar to security.bsd.seeotheruids, only a slightly more detailed policy involving exceptions for members of specific groups, etc. This policy is unlabeled, relying on existing system security labeling (process credentials).
mac_test: Policy module implementing basic sanity tests for label handling. Attempts to ensure that labels are not freed multiple times, etc, etc.
Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
show more ...
|
#
7e857dd1 |
| 12-Jun-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- Merge from HEAD
|
#
0304c731 |
| 27-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their
Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings.
Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge().
Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call.
Approved by: bz (mentor)
show more ...
|
Revision tags: release/7.2.0_cvs, release/7.2.0 |
|
#
9c797940 |
| 13-Apr-2009 |
Oleksandr Tymoshenko <gonzo@FreeBSD.org> |
- Merge from HEAD
|
#
6180d318 |
| 29-Mar-2009 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Get rid of VSTAT and replace it with VSTAT_PERMS, which is somewhat better defined.
Approved by: rwatson (mentor)
|
#
1829d5da |
| 12-Mar-2009 |
Warner Losh <imp@FreeBSD.org> |
Update the projects tree to a newer FreeBSD current.
|
#
095b4d26 |
| 09-Mar-2009 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Mark the bsdextended rules sysctl as being mpsafe.
Discussed with: rwatson
|
#
9162f64b |
| 10-Jan-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a p
Rather than having MAC policies explicitly declare what object types they label, derive that information implicitly from the set of label initializers in their policy operations set. This avoids a possible class of programmer errors, while retaining the structure that allows us to avoid allocating labels for objects that don't need them. As before, we regenerate a global mask of labeled objects each time a policy is loaded or unloaded, stored in mac_labeled.
Discussed with: csjp Suggested by: Jacques Vidrine <nectar at apple.com> Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
show more ...
|
#
413628a7 |
| 29-Nov-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFp4: Bring in updated jail support from bz_jail branch.
This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to
MFp4: Bring in updated jail support from bz_jail branch.
This enhances the current jail implementation to permit multiple addresses per jail. In addtion to IPv4, IPv6 is supported as well. Due to updated checks it is even possible to have jails without an IP address at all, which basically gives one a chroot with restricted process view, no networking,..
SCTP support was updated and supports IPv6 in jails as well.
Cpuset support permits jails to be bound to specific processor sets after creation.
Jails can have an unrestricted (no duplicate protection, etc.) name in addition to the hostname. The jail name cannot be changed from within a jail and is considered to be used for management purposes or as audit-token in the future.
DDB 'show jails' command was added to aid debugging.
Proper compat support permits 32bit jail binaries to be used on 64bit systems to manage jails. Also backward compatibility was preserved where possible: for jail v1 syscalls, as well as with user space management utilities.
Both jail as well as prison version were updated for the new features. A gap was intentionally left as the intermediate versions had been used by various patches floating around the last years.
Bump __FreeBSD_version for the afore mentioned and in kernel changes.
Special thanks to: - Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches and Olivier Houchard (cognet) for initial single-IPv6 patches. - Jeff Roberson (jeff) and Randall Stewart (rrs) for their help, ideas and review on cpuset and SCTP support. - Robert Watson (rwatson) for lots and lots of help, discussions, suggestions and review of most of the patch at various stages. - John Baldwin (jhb) for his help. - Simon L. Nielsen (simon) as early adopter testing changes on cluster machines as well as all the testers and people who provided feedback the last months on freebsd-jail and other channels. - My employer, CK Software GmbH, for the support so I could work on this.
Reviewed by: (see above) MFC after: 3 months (this is just so that I get the mail) X-MFC Before: 7.2-RELEASE if possible
show more ...
|
Revision tags: release/6.4.0_cvs, release/6.4.0 |
|
#
a1b9471a |
| 30-Oct-2008 |
Robert Watson <rwatson@FreeBSD.org> |
The V* flags passed using an accmode_t to the access() and open() access control checks in mac_bsdextended are not in the same namespace as the MBI_ flags used in ugidfw policies, so add an explicit
The V* flags passed using an accmode_t to the access() and open() access control checks in mac_bsdextended are not in the same namespace as the MBI_ flags used in ugidfw policies, so add an explicit conversion routine to get from one to the other.
Obtained from: TrustedBSD Project
show more ...
|
#
168a6ae7 |
| 27-Oct-2008 |
Robert Watson <rwatson@FreeBSD.org> |
When the mac_bsdextended policy is unloaded, free rule memory.
Obtained from: TrustedBSD Project MFC after: 3 days
|
#
34f6230e |
| 27-Oct-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Break mac_bsdextended.c out into multiple .c files, with the base access control logic and policy registration remaining in that file, and access control checks broken out into other files by class o
Break mac_bsdextended.c out into multiple .c files, with the base access control logic and policy registration remaining in that file, and access control checks broken out into other files by class of check.
Obtained from: TrustedBSD Project
show more ...
|
#
e11e3f18 |
| 23-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Fix a number of style issues in the MALLOC / FREE commit. I've tried to be careful not to fix anything that was already broken; the NFSv4 code is particularly bad in this respect.
|
#
1ede983c |
| 23-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the MALLOC and FREE macros. They are an abomination unto style(9).
MFC after: 3 months
|
#
cecd8edb |
| 17-Sep-2008 |
Attilio Rao <attilio@FreeBSD.org> |
Remove the suser(9) interface from the kernel. It has been replaced from years by the priv_check(9) interface and just very few places are left. Note that compatibility stub with older FreeBSD versio
Remove the suser(9) interface from the kernel. It has been replaced from years by the priv_check(9) interface and just very few places are left. Note that compatibility stub with older FreeBSD version (all above the 8 limit though) are left in order to reduce diffs against old versions. It is responsibility of the maintainers for any module, if they think it is the case, to axe out such cases.
This patch breaks KPI so __FreeBSD_version will be bumped into a later commit.
This patch needs to be credited 50-50 with rwatson@ as he found time to explain me how the priv_check() works in detail and to review patches.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com> Reviewed by: rwatson
show more ...
|
#
dfa7fd1d |
| 10-Sep-2008 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Remove VSVTX, VSGID and VSUID. This should be a no-op, as VSVTX == S_ISVTX, VSGID == S_ISGID and VSUID == S_ISUID.
Approved by: rwatson (mentor)
|
#
0359a12e |
| 28-Aug-2008 |
Attilio Rao <attilio@FreeBSD.org> |
Decontextualize the couplet VOP_GETATTR / VOP_SETATTR as the passed thread was always curthread and totally unuseful.
Tested by: Giovanni Trematerra <giovanni dot trematerra at gmail dot com>
|
#
6356dba0 |
| 23-Aug-2008 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of
Introduce two related changes to the TrustedBSD MAC Framework:
(1) Abstract interpreter vnode labeling in execve(2) and mac_execve(2) so that the general exec code isn't aware of the details of allocating, copying, and freeing labels, rather, simply passes in a void pointer to start and stop functions that will be used by the framework. This change will be MFC'd.
(2) Introduce a new flags field to the MAC_POLICY_SET(9) interface allowing policies to declare which types of objects require label allocation, initialization, and destruction, and define a set of flags covering various supported object types (MPC_OBJECT_PROC, MPC_OBJECT_VNODE, MPC_OBJECT_INPCB, ...). This change reduces the overhead of compiling the MAC Framework into the kernel if policies aren't loaded, or if policies require labels on only a small number or even no object types. Each time a policy is loaded or unloaded, we recalculate a mask of labeled object types across all policies present in the system. Eliminate MAC_ALWAYS_LABEL_MBUF option as it is no longer required.
MFC after: 1 week ((1) only) Reviewed by: csjp Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
show more ...
|
#
80794edc |
| 31-Jul-2008 |
Robert Watson <rwatson@FreeBSD.org> |
In mac_bsdextended's auditctl and acct policy access control checks, return success if the passed vnode pointer is NULL (rather than panicking). This can occur if either audit or accounting are disa
In mac_bsdextended's auditctl and acct policy access control checks, return success if the passed vnode pointer is NULL (rather than panicking). This can occur if either audit or accounting are disabled while the policy is running.
Since the swapoff control has no real relevance to this policy, which is concerned about intent to write rather than water under the bridge, remove it.
PR: kern/126100 Reported by: Alan Amesbury <amesbury at umn dot edu> MFC after: 3 days
show more ...
|