us to reduce namespace pollution by doing a nested include of _label.h
rather than mac.h. mac.h contains lots of baggage, whereas _label.h
contains much less. A follow-up sweep to change nested inclusion will
follow. The problem regarding exporting 'struct label' to userland
due to excessive exporting of kernel structures to userland still
needs to be resolved.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Suggested by: bde
parts rather than use vop_{read,write}_args. Access to these
functions will ultimately not be available through the
"vop_{read,write}+IO_EXT" API but this functionality is retained
for debugging purposes for now.
Sponsored by: DARPA & NAI Labs.
to do this made the following script hang:
#!/bin/sh
set -ex
extattrctl start /tmp
extattrctl initattr 64 /tmp/EA00
extattrctl enable /tmp user ea00 /tmp/EA00
extattrctl showattr /tmp/EA00
if the filesystem backing /tmp did not support EAs.
The real solution is probably to have the extattrctl syscall do the
unlocking rather than depend on the filesystem to do it. Considering
that extattrctl is going to be made obsolete anyway, this has dogwash
priority.
Sponsored by: DARPA & NAI Labs.
UFS only thing, and FFS should in principle not know if it is enabled
or not.
This commit cleans ffs_vnops.c for such knowledge, but not ffs_vfsops.c
Sponsored by: DARPA and NAI Labs.
these in the main filesystems. This does not change the resulting code
but makes the source a little bit more grepable.
Sponsored by: DARPA and NAI Labs.
there is a global lock over the undo structures because of the way
they are managed.
Switch to using SLIST instead of rolling our own linked list.
Fix several races where a permission check was done before a
copyin/copyout, if the copy happened to fault it may have been
possible to race for access to a semaphore set that one shouldn't
have access to.
Requested by: rwatson
Tested by: NetBSD regression suite.
entire subsystem, we could move to per-message queue locks, however
the messages themselves seem to come from a global pool and to avoid
over-locking this code (locking individual queues, then the global
pool) I've opted to just do it this way.
Requested by: rwatson
Tested by: NetBSD's regression suite.
as part of the TrustedBSD MAC framework. Instrument the creation
and destruction of pipes, as well as relevant operations, with
necessary calls to the MAC framework. Note that the locking
here is probably not quite right yet, but fixes will be forthcoming.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
the jail check and the MAC socket labeling in socreate(). This handles
socket creation using a cached credential better (such as in the NFS
client code when rebuilding a socket following a disconnect: the new
socket should be created using the nfsmount cached cred, not the cred
of the thread causing the socket to be rebuilt).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
enforcement of MAC policy on the read or write operations:
- In ext2fs, don't enforce MAC on loop-back reads and writes supporting
directory read operations in lookup(), directory modifications in
rename(), directory write operations in mkdir(), symlink write
operations in symlink().
- In the NFS client locking code, perform vn_rdwr() on the NFS locking
socket without enforcing MAC, since the write is done on behalf of
the kernel NFS implementation rather than the user process.
- In UFS, don't enforce MAC on loop-back reads and writes supporting
directory read operations in lookup(), and symlink write operations
in symlink().
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
'options MAC') as long as IO_NOMACCHECK is not set in the IO flags.
If IO_NOMACCHECK is set, bypass MAC checks in vn_rdwr(). This allows
vn_rdwr() to be used as a utility function inside of file systems
where MAC checks have already been performed, or where the operation
is being done on behalf of the kernel not the user.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI LAbs
by looking at the "type of number" field and providing configurable hooks
to correct the numbers accordingly. See keywords add-prefix, prefix-national
and prefix-international in isdnd.rc(5).
This feature was implemented by Christian Ullrich <chris@chrullrich.de>
enabled and the kernel provides the MAC registration and entry point
service. Declare a dependency on that module service for any
MAC module registered using mac_policy.h. For now, hard code the
version as 1, but once we've come up with a versioning policy, we'll
move to a #define of some sort. In the mean time, this will prevent
loading a MAC module when 'options MAC' isn't present, which (due to
a bug in the kernel linker) can result if the MAC module is preloaded
via loader.conf.
This particular evil recommended by: peter
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI LAbs
indicate that the calling code has already performed necessary MAC
checks (if any) for this operation. This flag will help resolve
layering problems that existing because vn_rdwr() is called both
on behalf of user processes directly (such as in system calls of
various sorts, during core dumps, etc), as well as deep in the file
system code on behalf of the file system (such as in UFS, ext2fs,
etc). Code that is acting on behalf of a kernel service rather
than explicitly on behalf of a user process will specify this flag.
By default, MAC checks will be performed (and generally should
be performed).
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
access control: as with SVR4, very few changes required since almost
all services are implemented by wrapping existing native FreeBSD
system calls. Only readdir() calls need additional instrumentation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
SVR4 emulation relating to readdir() and fd_revoke(). All other
services appear to be implemented by simply wrapping existing
FreeBSD native system call implementations, so don't require local
instrumentation in the emulator module.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
struct mount is not cached as *mp at this point, so use
vp->v_mount directly, following the check that it's non-NULL.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
This is an architecture that present a thing message passing interface
to the OS. You can query as to how many ports and what kind are attached
and enable them and so on.
A less grand view is that this is just another way to package SCSI (SPI or
FC) and FC-IP into a one-driver interface set.
This driver support the following hardware:
LSI FC909: Single channel, 1Gbps, Fibre Channel (FC-SCSI only)
LSI FC929: Dual Channel, 1-2Gbps, Fibre Channel (FC-SCSI only)
LSI 53c1020: Single Channel, Ultra4 (320M) (Untested)
LSI 53c1030: Dual Channel, Ultra4 (320M)
Currently it's in fair shape, but expect a lot of changes over the
next few weeks as it stabilizes.
Credits:
The driver is mostly from some folks from Jeff Roberson's company- I've
been slowly migrating it to broader support that I it came to me as.
The hardware used in developing support came from:
FC909: LSI-Logic, Advansys (now Connetix)
FC929: LSI-Logic
53c1030: Antares Microsystems (they make a very fine board!)
MFC after: 3 weeks
thus hiting EIO at the end of file. This is believed to be a feature
(not a bug) of vn_rdwr(), so we turn it off by supplying aresid param.
Reviewed by: rwatson, dg
(I skipped those in contrib/, gnu/ and crypto/)
While I was at it, fixed a lot more found by ispell that I
could identify with certainty to be errors. All of these
were in comments or text, not in actual code.
Suggested by: bde
MFC after: 3 days
- Make getvfsbyname() take a struct xvfsconf *.
- Convert several consumers of getvfsbyname() to use struct xvfsconf.
- Correct the getvfsbyname.3 manpage.
- Create a new vfs.conflist sysctl to dump all the struct xvfsconf in the
kernel, and rewrite getvfsbyname() to use this instead of the weird
existing API.
- Convert some {set,get,end}vfsent() consumers to use the new vfs.conflist
sysctl.
- Convert a vfsload() call in nfsiod.c to kldload() and remove the useless
vfsisloadable() and endvfsent() calls.
- Add a warning printf() in vfs_sysctl() to tell people they are using
an old userland.
After these changes, it's possible to modify struct vfsconf without
breaking the binary compatibility. Please note that these changes don't
break this compatibility either.
When bp will have updated mount_smbfs(8) with the patch I sent him, there
will be no more consumers of the {set,get,end}vfsent(), vfsisloadable()
and vfsload() API, and I will promptly delete it.
sysctl_sysctl_next() to skip this sysctl. The sysctl is
still available, but doesn't appear in a "sysctl -a".
This is especially useful when you want to deprecate a sysctl,
and add a warning into it to warn users that they are using
an old interface. Without this flag, the warning would get
echoed when running "sysctl -a" (which happens at boot).
code to do it when the bios doesn't do it for us, flag it. Then, when
we dealloc, do an equal kludge to get rid of the address. This should
address the can't get IRQ and panic bug in a more graceful way.
# really should write a dealloc routine and just call it instead, since
# this might not fix things in the kldunload case.
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.
The new feature (all this description will go in the manpage):
each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:
ipfw add 100 set 23 allow ip from any to any
If "set N" is not specified, the rule belongs to set 0.
Individual sets can be disabled, enabled, and deleted with the commands:
ipfw disable set N
ipfw enable set N
ipfw delete set N
Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.
All sets are enabled by default. The enable/disable status of the sets
can be shown with the command
ipfw show sets
Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:
To add a set of rules atomically:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18
To delete a set of rules atomically
ipfw disable set 18
ipfw delete set 18
ipfw enable set 18
To test a ruleset and disable it and regain control if something
goes wrong:
ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18
here if everything goes well, you press control-C before
the "sleep" terminates, and your ruleset will be left
active. Otherwise, e.g. if you cannot access your box,
the ruleset will be disabled after the sleep terminates.
I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
The CAM<>ATAPI layer was submitted by "Thomas Quinot <thomas@cuivre.fr.eu.org>"
changes form the version on the net by me (formatting, ability to be used
alone without the ATAPI native device driver, proper speed reporting...)
See /sys/conf/NOTES for usage.
Submitted by: Thomas Quinot <thomas@cuivre.fr.eu.org>
#define EDOFUS 88 /* Programming error */
This can be used to signal error situations which indicate that the
program logic or assumptions is deficient.
appologize to those of you who may have been seeing crashes in
code that uses sendfile(2) or other types of external buffers
with mbufs.
Pointed out by, and provided trace:
Niels Chr. Bank-Pedersen <ncbp at bank-pedersen.dk>
VOP wrapper is called from within file systems so can result in odd
loopback effects when MAC enforcement is use with the active (as
opposed to saved) credential. These checks will be moved elsewhere.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
PR40430 by "Peter Haight <peterh@sapros.com>" that has semilar patches
included and which I merged with my own work.
HW sponsored by: FreeBSD Foundation & FreeBSD Mall Inc
Enjoy!
I'm not sure what happenned to the original setting of the P_CONTINUED
flag. it appears to have been lost in the paper shuffling...
Submitted by: David Xu <bsddiy@yahoo.com>
This is pretty much fixes any issue I can find:
- Watchdog timeouts were due to starting the TX DMA engine
before we had a packet ready for it. So the first packet
sent never got out only if we sent more then one packet
at a time did the others make it out and not blow up.
Of course reseting the chip then caused us not to transmit
the first packet again ie. catch-22. This required logic changes.
- Combine interrupts on TX packets being queued up.
- Don't keep running around the RX ring since we might get
out of sync so only go around once per receive
- Let the RX engine recover via the poll interface which is
similar to the TX interface. This way the chip wakes
up with no effort when we read enough packets.
- Do better hand-shaking on RX & TX packets so they don't
start of to soon.
- Force a duplex setting when the link comes up after
an ste_init or it will default to half-duplex and be
really slow. This only happens on subsequent ste_init.
The first one worked.
- Don't call stat_update for every overflow. We only monitor
the collisions so the tick interval is good enough for that.
Just read in the collision stats to minimize bus reads.
- Don't read the miibus every tick since it uses delays and
delays are not good for performance.
- Tie link events directly to the miibus code so the port
gets set correctly if someone changes the port settings.
- Reduce the extreme number of {R,T}FD's. They would consume
130K of kernel memory for each NIC.
- Set the TX_THRESH to wait for the DMA engine to complete
before running the TX FIFO. This hurts peak TX performance
but under bi-directional load the DMA engine can't keep up
with the FIFO. Testing shows that we end up in the case
anyways (a la dc(4) issues but worse since the RX engine hogs
everything).
- When stopping the card do a reset since the reset verifies the
card has stopped. Otherwise on heavy RX load the RX DMA engine
is still stuffing packets into memory. If that happens after
we free the DMA area memory bits get scribled in memory and
bad things happen.
This card still has seemingly unfixable issues under heavy RX load in
which the card takes over the PCI bus.
Sponsored by: Vernier Networks
MFC after: 1 week
argument, not the 'type' argument. As a result of the buf, the
MAC label on some packet header mbufs might not be set in mbufs
allocated using m_getcl(), resulting in a page fault.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
vnode operations. This permits the rights of the user (typically root)
used to turn on accounting to be used when writing out accounting entries,
rather than the credentials of the process generating the accounting
record. This fixes accounting in a number of environments, including
file systems that offer revocation support, MAC environments, some
securelevel scenarios, and in some NFS environments.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
the initproc credential from the proc0 credential. Otherwise, the
proc0 credential is used instead of initproc's credentil when authorizing
start_init() activities prior to initproc hitting userland for the
first time. This could result in the incorrect credential being used
to authorize mounting of the root file system, which could in turn cause
problems for NFS when used in combination with uid/gid ipfw rules, or
with MAC.
Discussed with: julian
Remove some unnecessary assignments to mbuf fields in sis_newbuf(),
the "length" fields are of no use while the mbuf is in the receive ring.
MFC after: 3 days
to parse the binary .kld file as a list of symbols. Fix this by
simply deleting the unwanted argument from the ARGV[] array instead
of trying to skip over it.
to the address of the user's aiocb rather than the kernel's aiocb. (In other
words, prior to this change, the ident field returned by kevent(2) on
completion of an AIO was effectively garbage.)
Submitted by: Romer Gil <rgil@cs.rice.edu>
cninit. This allows a console driver to replace the existing console
by calling cninit again, eg during the device probe. Otherwise the
multiple console code sends output to both, which is unfortunate if
they're using the same hardware.
about calls to SYSCTL_OUT() made with locks held if the buffer has not
been pre-wired. SYSCTL_OUT() should not be called while holding locks,
but if this is not possible, the buffer should be wired by calling
sysctl_wire_old_buffer() before grabbing any locks.
that LIO_READ and LIO_WRITE were requests for kevent()-based
notification of completion. Modify _aio_aqueue() to recognize LIO_READ
and LIO_WRITE.
Notes: (1) The patch provided by the PR perpetuates a second bug in this
code, a direct access to user-space memory. This change fixes that bug
as well. (2) This change is to code that implements a deprecated interface.
It should probably be removed after an MFC.
PR: kern/39556
- bus_space'ify
- generate fake ethernet address using read_random() instead of reading
from timer i/o ports
Other minor fixes:
- remove "hack" in connect_to_master()
- use M_ZERO
- remove unused variable in sbni_ioctl()
- properly release irq in sbni_attach_isa() on attach errors
and the AT24C08 small serial flash parts. We still report these as
the same part (since we group things already), but now we recognize
the small serial versions as well.
firmware revision as well (not sure which firmware versions are needed
for this, but the 6.x and 8.x 'software' versions that I have seem to
support it).
Add dBm comm quality RID. This is like the normal comm quality rid,
except the signal and noise numbers are normalized to dBm. Some
revisions of the prism firmware, however, don't support this RID, and
some that do support it return 0 for quality and/or noise. Your
milage may vary.
the mbuf contains the ethernet header (eh) as well, which ether_input()
will strip off as needed.
This permits the removal (in a backward compatible way) of the
header removal code which right now is replicated in all drivers,
sometimes in an inconsistent way. Also, because many functions
called after ether_input() require the eh in the mbuf, eventually
we can propagate the interface and handle outdated drivers just
in ether_input().
Individual driver changes to use the new interface will follow as
we have a chance to touch them.
NOTE THAT THIS CHANGE IS FULLY BACKWARD COMPATIBLE AND DOES NOT BREAK
BINARY COMPATIBILITY FOR DRIVERS.
MFC after: 3 days
Also take this chance to cleanup the code in fxp_intr_body.
Add a missing block of code to disable interrupts when
reinitializing the interface while doing polling (the RELENG_4
version was correct).
MFC after: 3 days
investigate the problem described below.
I am seeing some strange livelock on recent -current sources with
a slow box under heavy load, which disappears with this change.
This might suggest some kind of problem (either insufficient locking,
or mishandling of priorities) in the poll_idle thread.
- v_vflag is protected by the vnode lock and is used when synchronization
with VOP calls is needed.
- v_iflag is protected by interlock and is used for dealing with vnode
management issues. These flags include X/O LOCK, FREE, DOOMED, etc.
- All accesses to v_iflag and v_vflag have either been locked or marked with
mp_fixme's.
- Many ASSERT_VOP_LOCKED calls have been added where the locking was not
clear.
- Many functions in vfs_subr.c were restructured to provide for stronger
locking.
Idea stolen from: BSD/OS
missed the pmap_kenter/kremove in this file, which leads to read()/write()
of /dev/mem using stale TLB entries. (gah!) Fortunately, mmap of /dev/mem
wasn't affected, so it wasn't as bad as it could have been. This throws
some light on the 'X server affects stability' thread....
Pointed out by: bde
cards. Since the firmware is hard coded into the kernel, I've made it
a kernel option (WI_SYMBOL_FIRMWARE).
Note: This only downloads into the RAM of these cards. It doesn't
download into FLASH, and is somewhat limited. There needs to be a
better way to deal, but this works for now. My Symbol LA4132 CF card
works now.
Obtained from: NetBSD
linker_load_module() instead.
This fixes a bug where the kernel was unable to properly locate and
load a kernel module in vfs_mount() (and probably in the netgraph
code as well since it was using the same function). This is because
the linker_load_file() does not properly search the module path.
Problem found by: peter
Reviewed by: peter
Thanks to: peter
kernel access control.
When generating nd6 output on an interface, label the packet
appropriately.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
case, also preserve the MAC label. Note that this mbuf allocation
is fairly non-optimal, but not my fault.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
embedded into their file_entry descriptor. This is more for
correctness, since these files cannot be bmap'ed/mmap'ed anyways.
Enforce this restriction.
Submitted by: tes@sgi.com
kernel access control.
Teach devfs how to respond to pathconf() _POSIX_MAC_PRESENT queries,
allowing it to indicate to user processes that individual vnode labels
are available.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Invoke appropriate MAC entry points for a number of VFS-related
operations in the Linux ABI module. In particular, handle uselib
in a manner similar to open() (more work is probably needed here),
as well as handle statfs(), and linux readdir()-like calls.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Add MAC support for the UDP protocol. Invoke appropriate MAC entry
points to label packets that are generated by local UDP sockets,
and to authorize delivery of mbufs to local sockets both in the
multicast/broadcast case and the unicast case.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Introduce two ioctls, SIOCGIFMAC, SIOCSIFMAC, which permit user
processes to manage the MAC labels on network interfaces. Note
that this is part of the user process API/ABI that will be revised
prior to 5.0-RELEASE.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Add MAC support for if_ppp. Label packets as they are removed from
the raw PPP mbuf queue. Preserve the mbuf MAC label across various
PPP data-munging and reconstitution operations. Perform access
control checks on mbufs to be transmitted via the interface.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Label packets generated by the gif virtual interface.
Perform access control on packets delivered to gif virtual interfaces.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Invoke appropriate MAC framework entry points to authorize readdir()
operations in the native ABI.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Make idle process state more consistant.
Add an assert on thread state.
Clean up idleproc/mi_switch() interaction.
Use a local instead of referencing curthread 7 times in a row
(I've been told curthread can be expensive on some architectures)
Remove some commented out code.
Add a little commented out code (completion coming soon)
Reviewed by: jhb@freebsd.org
kernel access control.
Hook up various policy modules to the kernel build.
Note that a number of these modules require futher entry point commits
in the remainder of the kernel to become fully functional, but enough
of the pieces are in place to allow experimentation.
Note also that it would be desirable to not build the mac_*.ko modules
if 'options MAC' is not defined in the kernel configuration, because
the resulting modules are not useful without the kernel option. There
doesn't appear to be precedent for a way to do this -- for example,
we allow ipfw.ko to be built even if 'options NETINET' isn't defined.
Suggests welcomed on the "best" way to do this.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
structure. This prevents a boatload of warnings in the MAC modules,
so we can hook them up to the build.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control
Invoke appropriate MAC framework entry points to authorize a number
of vnode operations, including read, write, stat, poll. This permits
MAC policies to revoke access to files following label changes,
and to limit information spread about the file to user processes.
Note: currently the file cached credential is used for some of
these authorization check. We will need to expand some of the
MAC entry point APIs to permit multiple creds to be passed to
the access control check to allow diverse policy behavior.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Restructure the vn_open_cred() access control checks to invoke
the MAC entry point for open authorization. Note that MAC can
reject open requests where existing DAC code skips the open
authorization check due to O_CREAT. However, the failure mode
here is the same as other failure modes following creation,
wherein an empty file may be left behind.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Invoke an appropriate MAC entry point to authorize execution of
a file by a process. The check is placed slightly differently
than it appears in the trustedbsd_mac tree so that it prevents
a little more information leakage about the target of the execve()
operation.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
the inits/destroys are done without the cache locks held even in the
persistent-lock calls. I may be cheating a little by using the MAC
"already initialized" flag for now.
other references to that vnode as a trace vnode in other processes as well
as in any pending requests on the todo list. Thus, it is possible for a
ktrace request structure to have a NULL ktr_vp when it is destroyed in
ktr_freerequest(). We shouldn't call vrele() on the vnode in that case.
Reported by: bde
pointer and incoming mbuf pointer will be non-NULL in tcp_respond().
This is relied on by the MAC code for correctness, as well as
existing code.
Obtained from: TrustedBSD PRoject
Sponsored by: DARPA, NAI Labs
kernel access control.
Add support for labeling most out-going ICMP messages using an
appropriate MAC entry point. Currently, we do not explicitly
label packet reflect (timestamp, echo request) ICMP events,
implicitly using the originating packet label since the mbuf is
reused. This will be made explicit at some point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Instrument chdir() and chroot()-related system calls to invoke
appropriate MAC entry points to authorize the two operations.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Implement two IOCTLs at the socket level to retrieve the primary
and peer labels from a socket. Note that this user process interface
will be changing to improve multi-policy support.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Modify procfs so that (when mounted multilabel) it exports process MAC
labels as the vnode labels of procfs vnodes associated with processes.
Approved by: des
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Modify pseudofs so that it can support synthetic file systems with
the multilabel flag set. In particular, implement vop_refreshlabel()
as pn_refreshlabel(). Implement pfs_refreshlabel() to invoke this,
and have it fall back to the mount label if the file system does
not implement pn_refreshlabel() for the node. Otherwise, permit
the file system to determine how the service is provided.
Approved by: des
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Authorize vop_readlink() and vop_lookup() activities during recursive
path lookup via namei() via calls to appropriate MAC entry points.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Authorize the creation of UNIX domain sockets in the file system
namespace via an appropriate invocation a MAC framework entry
point.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Instrument ctty driver invocations of various vnode operations on the
terminal controlling tty to perform appropriate MAC framework
authorization checks.
Note: VOP_IOCTL() on the ctty appears to be authorized using NOCRED in
the existing code rather than td->td_ucred. Why?
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Instrument the ktrace write operation so that it invokes the MAC
framework's vnode write authorization check.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
kernel access control.
Instrument the kernel ACL retrieval and modification system calls
to invoke MAC framework entry points to authorize these operations.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
sizes. Previously, the end result was at the mercy of the card's default
setting. This change will reduce the number of buffer underruns for
some users.
PR: kern/37929
Submitted by: Thomas Nystrom <thn@saeab.se>
MFC after: 7 days
and move them into md_uac in struct mdproc. mdproc is protected by the
proc lock. md_flags now is only ever modified by the current thread, so
it doesn't need a lock.
- Rename the constants for all the per-thread MD flags to use MDTD_*
instead of MDP_*.
kernel access control.
Instrument the TCP socket code for packet generation and delivery:
label outgoing mbufs with the label of the socket, and check socket and
mbuf labels before permitting delivery to a socket. Assign labels
to newly accepted connections when the syncache/cookie code has done
its business. Also set peer labels as convenient. Currently,
MAC policies cannot influence the PCB matching algorithm, so cannot
implement polyinstantiation. Note that there is at least one case
where a PCB is not available due to the TCP packet not being associated
with any socket, so we don't label in that case, but need to handle
it in a special manner.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
by pmap_qenter() and pmap_qremove() is pointless. In fact, it probably
leads to unnecessary pmap_page_protect() calls if one of these pages is
paged out after unwiring.
Note: setting PG_MAPPED asserts that the page's pv list may be
non-empty. Since checking the status of the page's pv list isn't any
harder than checking this flag, the flag should probably be eliminated.
Alternatively, PG_MAPPED could be set by pmap_enter() exclusively
rather than various places throughout the kernel.