Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls

Implement sockets support for __mac_get_fd() and __mac_set_fd()
system calls, and prefer these calls over getsockopt()/setsockopt()
for ABI reasons. When addressing UNIX domain sockets, these calls
retrieve and modify the socket label, not the label of the
rendezvous vnode.

- Create mac_copy_socket_label() entry point based on
mac_copy_pipe_label() entry point, intended to copy the socket
label into temporary storage that doesn't require a socket lock
to be held (currently Giant).

- Implement mac_copy_socket_label() for various policies.

- Expose socket label allocation, free, internalize, externalize
entry points as non-static from mac_net.c.

- Use mac_socket_label_set() in __mac_set_fd().

MAC-aware applications may now use mac_get_fd(), mac_set_fd(), and
mac_get_peer() to retrieve and set various socket labels without
directly invoking the getsockopt() interface.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Remove extraneous fullpath variable, which broke lint build. This
extra argument to the devfs MAC policy entry points was accidentally
merged from the MAC branch during my earlier commit to these po

Remove extraneous fullpath variable, which broke lint build. This
extra argument to the devfs MAC policy entry points was accidentally
merged from the MAC branch during my earlier commit to these policies,
and is not scheduled to be merged just yet.

show more ...

Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated

Modify the MAC Framework so that instead of embedding a (struct label)
in various kernel objects to represent security data, we embed a
(struct label *) pointer, which now references labels allocated using
a UMA zone (mac_label.c). This allows the size and shape of struct
label to be varied without changing the size and shape of these kernel
objects, which become part of the frozen ABI with 5-STABLE. This opens
the door for boot-time selection of the number of label slots, and hence
changes to the bound on the number of simultaneous labeled policies
at boot-time instead of compile-time. This also makes it easier to
embed label references in new objects as required for locking/caching
with fine-grained network stack locking, such as inpcb structures.

This change also moves us further in the direction of hiding the
structure of kernel objects from MAC policy modules, not to mention
dramatically reducing the number of '&' symbols appearing in both the
MAC Framework and MAC policy modules, and improving readability.

While this results in minimal performance change with MAC enabled, it
will observably shrink the size of a number of critical kernel data
structures for the !MAC case, and should have a small (but measurable)
performance benefit (i.e., struct vnode, struct socket) do to memory
conservation and reduced cost of zeroing memory.

NOTE: Users of MAC must recompile their kernel and all MAC modules as a
result of this change. Because this is an API change, third party
MAC modules will also need to be updated to make less use of the '&'
symbol.

Suggestions from: bmilekic
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Implementations of mpo_check_vnode_deleteextattr() and
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Labora

Implementations of mpo_check_vnode_deleteextattr() and
mpo_check_vnode_listextattr() for Biba, MLS, and BSD Extended.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Improve consistency with the Biba policy -- rename
mac_mls_subject_equal_ok() to mac_mls_subject_privileged(),
which more consistently reflects the fact that this is really
about our notion of privil

Improve consistency with the Biba policy -- rename
mac_mls_subject_equal_ok() to mac_mls_subject_privileged(),
which more consistently reflects the fact that this is really
about our notion of privilege in the MLS policy.

Since we don't use suser() for privilege in MLS, remove
the suser check from the ifnet relabel ioctl, and replace it
with an MLS privilege check.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Redesign the externalization APIs from the MAC Framework to
the MAC policy modules to improve robustness against C string
bugs and vulnerabilities. Following these revisions, all
string construction

Redesign the externalization APIs from the MAC Framework to
the MAC policy modules to improve robustness against C string
bugs and vulnerabilities. Following these revisions, all
string construction of labels for export to userspace (or
elsewhere) is performed using the sbuf API, which prevents
the consumer from having to perform laborious and intricate
pointer and buffer checks. This substantially simplifies
the externalization logic, both at the MAC Framework level,
and in individual policies; this becomes especially useful
when policies export more complex label data, such as with
compartments in Biba and MLS.

Bundled in here are some other minor fixes associated with
externalization: including avoiding malloc while holding the
process mutex in mac_lomac, and hence avoid a failure mode
when printing labels during a downgrade operation due to
the removal of the M_NOWAIT case.

This has been running in the MAC development tree for about
three weeks without problems.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Use mac_biba_label_copy() and mac_mls_label_copy() to implement the
mpo_copy_mbuf_label() entry point for Biba and MLS, respectively.
Otherwise, labels in m_tags may not be properly propagated across

Use mac_biba_label_copy() and mac_mls_label_copy() to implement the
mpo_copy_mbuf_label() entry point for Biba and MLS, respectively.
Otherwise, labels in m_tags may not be properly propagated across
some classes of mbuf operations. This problem caused these policies
to fail-stop the system with a panic.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Rewrite Biba and MLS label externalization code to use sbufs instead
of C strings internally; C strings require a lot of return value
checking that (a) takes a lot of space, and (b) is difficult to g

Rewrite Biba and MLS label externalization code to use sbufs instead
of C strings internally; C strings require a lot of return value
checking that (a) takes a lot of space, and (b) is difficult to get
right. Prior to the advent of compartment support, modeling APIs
for helper functions on snprintf worked fine; with the additional
complexity, the sbuf_printf() API makes a lot more sense.

While doing this, break out the printing of sequential compartment
lists into a helper function, mac_{biba,mls}_compartment_to_string().
This permits the main body of mac_{biba,mls}_element_to_string()
to be concerned only with identifying sequential ranges rather
than rendering.

At a less disruptive moment, we'll push the move from snprintf()-like
interface to sbuf()-like interface up into the MAC Framework layer.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Make sure all character pointers are properly initialized; this was
mismerged from the MAC tree, and didn't get picked up because warnings
are not normally fatal in per-module builds, only when they

Make sure all character pointers are properly initialized; this was
mismerged from the MAC tree, and didn't get picked up because warnings
are not normally fatal in per-module builds, only when they are linked
into a kernel (such as LINT).

Reported by: des and the technicolor tinderbox
Approved by: re (scottl)

show more ...

Use strsep() in preference to manual string parsing for Biba and MLS
label internalization. Use sensible variable names. Include comments.
Doesn't fix any known bugs, but may fix unknown ones.

App

Use strsep() in preference to manual string parsing for Biba and MLS
label internalization. Use sensible variable names. Include comments.
Doesn't fix any known bugs, but may fix unknown ones.

Approved by: re (scottl)

show more ...

Enable the MAC_ALWAYS_LABEL_MBUF flag for the Biba, LOMAC, MLS, and Test
policies. Missed in earlier merge.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtaine

Trim "trustedbsd_" from the front of the policy module "short names";
the vendor is only included in the long name currently, reducing
verbosity when modules are registered and unregistered.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking

Modify the mac_init_ipq() MAC Framework entry point to accept an
additional flags argument to indicate blocking disposition, and
pass in M_NOWAIT from the IP reassembly code to indicate that
blocking is not OK when labeling a new IP fragment reassembly
queue. This should eliminate some of the WITNESS warnings that
have started popping up since fine-grained IP stack locking
started going in; if memory allocation fails, the creation of
the fragment queue will be aborted.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Expand scope of the MLS policy to include a new entry point available
for enforcement:

mac_mls_check_system_swapon() - Require that the subject and the
swapfile target vnode labels dominate one

Expand scope of the MLS policy to include a new entry point available
for enforcement:

mac_mls_check_system_swapon() - Require that the subject and the
swapfile target vnode labels dominate one another. An additional
check is probably needed here to require that the swapfile target
has a label of mls/high to prevent information leakage through
swapfiles.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Back out M_* changes, per decision of the TRB.

Approved by: trb

Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be

Place more stringent checks on process credential relabeling for the Biba
and MLS policies: as we support both an effective (single) element and
range (available) elements, require that the single be in the range if
both the single and range are defined in the update. Remove comments
suggesting that such a check might be a good idea.

Don't introduce a similar check for network interfaces; due to different
interpretations of the single and range elements, it's not clear that
it's useful to do so.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Rename the variable 'grade' to 'type' in interface parsing and
labeling for Biba.

Rename the variable 'level' to 'type' in interface parsing and
labeling for MLS.

Obtained from: TrustedBSD Project

Rename the variable 'grade' to 'type' in interface parsing and
labeling for Biba.

Rename the variable 'level' to 'type' in interface parsing and
labeling for MLS.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.

Default policies to on: if you load them or compile them into your
kernel, you should expect them to do something, so now they do. This
doesn't affect users who don't load or explicitly compile in t

Default policies to on: if you load them or compile them into your
kernel, you should expect them to do something, so now they do. This
doesn't affect users who don't load or explicitly compile in the
policies.

Approved by: re (jhb)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Remove dm_root entry from struct devfs_mount. It's never set, and is
unused. Replace it with a dm_mount back-pointer to the struct mount
that the devfs_mount is associated with. Export that pointe

Remove dm_root entry from struct devfs_mount. It's never set, and is
unused. Replace it with a dm_mount back-pointer to the struct mount
that the devfs_mount is associated with. Export that pointer to MAC
Framework entry points, where all current policies don't use the
pointer. This permits the SEBSD port of SELinux's FLASK/TE to compile
out-of-the-box on 5.0-CURRENT with full file system labeling support.

Approved by: re (murray)
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Garbage collect mac_create_devfs_vnode() -- it hasn't been used since
we brought in the new cache and locking model for vnode labels. We
now rely on mac_associate_devfs_vnode().

Obtained from: Trus

Garbage collect mac_create_devfs_vnode() -- it hasn't been used since
we brought in the new cache and locking model for vnode labels. We
now rely on mac_associate_devfs_vnode().

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associat

Update MAC modules for changes in arguments for exec MAC policy
entry points to include an explicit execlabel.

Approved by: re
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script. No
policies currently present in the system rely on the new lab

Update policy modules for changes in arguments associated with support
for label access on the interpreter, not just the shell script. No
policies currently present in the system rely on the new labels.

show more ...

Since neither the Biba policy nor the MLS policy make use of
transitioning, remove their transition entry points.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratori

Since neither the Biba policy nor the MLS policy make use of
transitioning, remove their transition entry points.

Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories

show more ...

License and wording updates: NAI has authorized the removal of clause
three from their BSD-style license. Also, s/NAI Labs/Network Associates
Laboratories/.