aboutsummaryrefslogtreecommitdiff
path: root/sys/security/mac
Commit message (Collapse)AuthorAgeFilesLines
* MAC: improve handling of listening socketsMichael Tuexen2024-09-262-6/+14
| | | | | | | | | so_peerlabel can only be used when the socket is not listening. Reviewed by: markj MFC after: 1 week Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D46755
* MAC: improve consistency in error handlingMichael Tuexen2024-09-261-0/+1
| | | | | | | | | | Whenever mac_syncache_init() returns an error, ensure that *label = NULL. This simplifies the error handling by the caller. Reviewed by: rscheff MFC after: 1 week Sponsored by: Netflix, Inc. Differential Revision: https://reviews.freebsd.org/D46701
* sys: Automated cleanup of cdefs and other formattingWarner Losh2023-11-272-2/+0
| | | | | | | | | | | | | | | | Apply the following automated changes to try to eliminate no-longer-needed sys/cdefs.h includes as well as now-empty blank lines in a row. Remove /^#if.*\n#endif.*\n#include\s+<sys/cdefs.h>.*\n/ Remove /\n+#include\s+<sys/cdefs.h>.*\n+#if.*\n#endif.*\n+/ Remove /\n+#if.*\n#endif.*\n+/ Remove /^#if.*\n#endif.*\n/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/types.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/param.h>/ Remove /\n+#include\s+<sys/cdefs.h>\n#include\s+<sys/capsicum.h>/ Sponsored by: Netflix
* Remove gratuitous copyouts of unchanged struct mac.Brooks Davis2023-11-134-9/+10
| | | | | | | | | | | | | The get operations change the data pointed to by the structure, but do not update the contents of the struct. Mark the struct mac arguments of mac_[gs]etsockopt_*label() and mac_check_structmac_consistent() const to prevent this from changing in the future. Reviewed by: markj MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D14488
* sys: Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-1619-38/+0
| | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
* sys: Remove $FreeBSD$: two-line .h patternWarner Losh2023-08-163-6/+0
| | | | Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
* mac_ipacl: new MAC policy module to limit jail/vnet IP configurationShivank Garg2023-07-264-0/+43
| | | | | | | | | | | | | The mac_ipacl policy module enables fine-grained control over IP address configuration within VNET jails from the base system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface. Requested by: multiple Sponsored by: Google, Inc. (GSoC 2019) MFC after: 2 months Reviewed by: bz, dch (both earlier versions) Differential Revision: https://reviews.freebsd.org/D20967
* mac: Honor order when registering MAC modules.Steve Kiernan2023-04-181-22/+16
| | | | | | | | Ensure MAC modules are inserted in order that they are registered. Reviewed by: markj Obtained from: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D39589
* kdb: Modify securelevel policyMark Johnston2023-03-302-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, sysctls which enable KDB in some way are flagged with CTLFLAG_SECURE, meaning that you can't modify them if securelevel > 0. This is so that KDB cannot be used to lower a running system's securelevel, see commit 3d7618d8bf0b7. However, the newer mac_ddb(4) restricts DDB operations which could be abused to lower securelevel while retaining some ability to gather useful debugging information. To enable the use of KDB (specifically, DDB) on systems with a raised securelevel, change the KDB sysctl policy: rather than relying on CTLFLAG_SECURE, add a check of the current securelevel to kdb_trap(). If the securelevel is raised, only pass control to the backend if MAC specifically grants access; otherwise simply check to see if mac_ddb vetoes the request, as before. Add a new secure sysctl, debug.kdb.enter_securelevel, to override this behaviour. That is, the sysctl lets one enter a KDB backend even with a raised securelevel, so long as it is set before the securelevel is raised. Reviewed by: mhorne, stevek MFC after: 1 month Sponsored by: Juniper Networks Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D37122
* IfAPI: Add if_get/setmaclabel() and use it.Justin Hibbits2023-01-313-18/+18
| | | | | | | | | Summary: Port the MAC modules to use the IfAPI APIs as part of this. Sponsored by: Juniper Networks, Inc. Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D38197
* vfs: stop using NDFREEMateusz Guzik2022-12-191-3/+4
| | | | | | | It provides nothing but a branchfest and next to no consumers want it anyway. Tested by: pho
* Bump MAC_VERSION to 5Allan Jude2022-10-071-1/+2
| | | | | | | | 2449b9e5fe565be757a4b29093fd1c9c6ffcf3c9 introduced API changes that require ensuring that loadable MAC modules use the matching API. Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc.
* vfs: introduce V_PCATCH to stop abusing PCATCHMateusz Guzik2022-09-171-2/+2
|
* protosw: refactor protosw and domain static declaration and loadGleb Smirnoff2022-08-171-2/+2
| | | | | | | | | | | | | | | | | | | o Assert that every protosw has pr_attach. Now this structure is only for socket protocols declarations and nothing else. o Merge struct pr_usrreqs into struct protosw. This was suggested in 1996 by wollman@ (see 7b187005d18ef), and later reiterated in 2006 by rwatson@ (see 6fbb9cf860dcd). o Make struct domain hold a variable sized array of protosw pointers. For most protocols these pointers are initialized statically. Those domains that may have loadable protocols have spacers. IPv4 and IPv6 have 8 spacers each (andre@ dff3237ee54ea). o For inetsw and inet6sw leave a comment noting that many protosw entries very likely are dead code. o Refactor pf_proto_[un]register() into protosw_[un]register(). o Isolate pr_*_notsupp() methods into uipc_domain.c Reviewed by: melifaro Differential revision: https://reviews.freebsd.org/D36232
* mac: cheaper check for mac_pipe_check_readMateusz Guzik2022-08-173-2/+20
| | | | | Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D36082
* mac: s/0/false/ in macros denoting probe enablementMateusz Guzik2022-08-111-14/+14
| | | | No functional changes.
* mac: kdb/ddb framework hooksMitchell Horne2022-07-183-0/+96
| | | | | | | | | | | | | | | | Add three simple hooks to the debugger allowing for a loaded MAC policy to intervene if desired: 1. Before invoking the kdb backend 2. Before ddb command registration 3. Before ddb command execution We extend struct db_command with a private pointer and two flag bits reserved for policy use. Reviewed by: markj Sponsored by: Juniper Networks, Inc. Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D35370
* sysent: Get rid of bogus sys/sysent.h include.Dmitry Chagin2022-05-281-1/+0
| | | | | | Where appropriate hide sysent.h under proper condition. MFC after: 2 weeks
* vfs: remove the unused thread argument from NDINIT*Mateusz Guzik2021-11-251-2/+2
| | | | | | See b4a58fbf640409a1 ("vfs: remove cn_thread") Bump __FreeBSD_version to 1400043.
* mac: cheaper check for ifnet_create_mbuf and ifnet_check_transmitMateusz Guzik2021-06-293-10/+40
| | | | Sponsored by: Rubicon Communications, LLC ("Netgate")
* tcp_input/syncache: acquire only read lock on PCB for SYN,!ACK packetsGleb Smirnoff2021-04-121-1/+1
| | | | | | | | | | | | | | | | | | When packet is a SYN packet, we don't need to modify any existing PCB. Normally SYN arrives on a listening socket, we either create a syncache entry or generate syncookie, but we don't modify anything with the listening socket or associated PCB. Thus create a new PCB lookup mode - rlock if listening. This removes the primary contention point under SYN flood - the listening socket PCB. Sidenote: when SYN arrives on a synchronized connection, we still don't need write access to PCB to send a challenge ACK or just to drop. There is only one exclusion - tcptw recycling. However, existing entanglement of tcp_input + stacks doesn't allow to make this change small. Consider this patch as first approach to the problem. Reviewed by: rrs Differential revision: https://reviews.freebsd.org/D29576
* Add a comment on why the call to mac_vnode_relabel() might be in the wrongRobert Watson2021-02-271-3/+12
| | | | | | place -- in the VOP rather than vn_setexttr() -- and that it is for historic reasons. We might wish to relocate it in due course, but this way at least we document the asymmetry.
* Convert remaining cap_rights_init users to cap_rights_init_oneMateusz Guzik2021-01-121-2/+4
| | | | | | | | | | | | | semantic patch: @@ expression rights, r; @@ - cap_rights_init(&rights, r) + cap_rights_init_one(&rights, r)
* mac: cheaper check for mac_vnode_check_readlinkMateusz Guzik2021-01-083-2/+20
|
* cache: combine fast path enabled status into one flagMateusz Guzik2021-01-061-0/+3
| | | | Tested by: pho
* pipe: allow for lockless pipe_statMateusz Guzik2020-11-193-3/+30
| | | | | | | | | | | | | | | | | | pipes get stated all thet time and this avoidably contributed to contention. The pipe lock is only held to accomodate MAC and to check the type. Since normally there is no probe for pipe stat depessimize this by having the flag. The pipe_state field gets modified with locks held all the time and it's not feasible to convert them to use atomic store. Move the type flag away to a separate variable as a simple cleanup and to provide stable field to read. Use short for both fields to avoid growing the struct. While here short-circuit MAC for pipe_poll as well. Notes: svn path=/head/; revision=367833
* mac_framework.h: fix build with DEBUG_VFS_LOCKS and !MACAndriy Gapon2020-09-031-1/+1
| | | | | | | | | | | | | | | I have such a custom kernel configuration and its build failed with: linking kernel.full ld: error: undefined symbol: mac_vnode_assert_locked >>> referenced by mac_framework.h:556 (/usr/devel/git/apu2c4/sys/security/mac/mac_framework.h:556) >>> tmpfs_vnops.o:(mac_vnode_check_stat) >>> referenced by mac_framework.h:556 (/usr/devel/git/apu2c4/sys/security/mac/mac_framework.h:556) >>> vfs_default.o:(mac_vnode_check_stat) >>> referenced by mac_framework.h:556 (/usr/devel/git/apu2c4/sys/security/mac/mac_framework.h:556) >>> ufs_vnops.o:(mac_vnode_check_stat) Notes: svn path=/head/; revision=365308
* security: clean up empty lines in .c and .h filesMateusz Guzik2020-09-013-3/+1
| | | | Notes: svn path=/head/; revision=365083
* mac: even up all entry points to the same schemeMateusz Guzik2020-08-061-7/+38
| | | | | | | | - use a macro for checking whether the site is enabled - expand it to 0 if mac is not compiled in to begin with Notes: svn path=/head/; revision=363935
* vfs: add a cheaper entry for mac_vnode_check_accessMateusz Guzik2020-08-053-2/+17
| | | | Notes: svn path=/head/; revision=363886
* Fix tinderbox build after r363714Mateusz Guzik2020-07-301-0/+8
| | | | Notes: svn path=/head/; revision=363716
* vfs: elide MAC-induced locking on rename if there are no relevant hoooksMateusz Guzik2020-07-292-0/+7
| | | | Notes: svn path=/head/; revision=363668
* vfs: add the infrastructure for lockless lookupMateusz Guzik2020-07-251-1/+2
| | | | | | | | | Reviewed by: kib Tested by: pho (in a patchset) Differential Revision: https://reviews.freebsd.org/D25577 Notes: svn path=/head/; revision=363518
* vfs: fix vn_poll performance with either MAC or AUDITMateusz Guzik2020-07-162-1/+16
| | | | | | | | | | | | | | | | | | | | The code would unconditionally lock the vnode to audit or call the mac hoook, even if neither want to do anything. Pre-check the state to avoid locking in the common case of nothing to do. Note this code should not be normally executed anyway as vnodes are always return ready. However, poll1/2 from will-it-scale use regular files for benchmarking, presumably to focus on the interface itself as the vnode handler is not supposed to do almost anything. This in particular fixes poll2 which passes 128 fds. $ ./poll2_processes -s 10 before: 134411 after: 271572 Notes: svn path=/head/; revision=363249
* vfs: fix MAC/AUDIT mismatch in vn_pollMateusz Guzik2020-07-161-0/+10
| | | | | | | Auditing would not be performed without MAC compiled in. Notes: svn path=/head/; revision=363247
* mac_policy: Remove mac_policy_sxJason A. Harmening2020-04-041-8/+3
| | | | | | | | | | This lock was made unnecessary by the addition of mac_policy_rms in r356120. Reviewed by: mjg, kib Differential Revision: https://reviews.freebsd.org/D24283 Notes: svn path=/head/; revision=359628
* Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many)Pawel Biernacki2020-02-261-1/+1
| | | | | | | | | | | | | | | | | | | r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718 Notes: svn path=/head/; revision=358333
* vfs: use mac fastpath for lookup, open, read, write, mmapMateusz Guzik2020-02-133-15/+124
| | | | Notes: svn path=/head/; revision=357889
* mac: implement fast path for checksMateusz Guzik2020-02-133-4/+118
| | | | | | | | | | | | | | | | All checking routines walk a linked list of all modules in order to determine if given hook is installed. This became a significant problem after mac_ntpd started being loaded by default. Implement a way perform checks for select hooks by testing a boolean. Use it for priv_check and priv_grant, which are constantly called from priv_check. The real fix would use hotpatching, but the above provides a way to know when to do it. Notes: svn path=/head/; revision=357887
* vfs: drop the mostly unused flags argument from VOP_UNLOCKMateusz Guzik2020-01-032-4/+4
| | | | | | | | | | | Filesystems which want to use it in limited capacity can employ the VOP_UNLOCK_FLAGS macro. Reviewed by: kib (previous version) Differential Revision: https://reviews.freebsd.org/D21427 Notes: svn path=/head/; revision=356337
* mac: use a sleepable rmlock instead of an sx lockMateusz Guzik2019-12-271-2/+6
| | | | | | | | | | | | | | If any non-static modules are loaded (and mac_ntpd tends to be), the lock is taken all the time al over the kernel. On platforms like arm64 this results in an avoidable significant performance degradation. Since write-locking is almost never needed, use a primitive optimized towards read-locking. Sample result of building the kernel on tmpfs 11 times: stock 11142.80s user 6704.44s system 4924% cpu 6:02.42 total patched 11118.95s user 2374.94s system 4547% cpu 4:56.71 total Notes: svn path=/head/; revision=356120
* Instead of looking up a predecessor or successor to the current mapDoug Moore2019-11-201-4/+5
| | | | | | | | | | | | entry, when that entry has been seen already, keep the already-looked-up value in a variable and use that instead of looking it up again. Approved by: alc, markj (earlier version), kib (earlier version) Differential Revision: https://reviews.freebsd.org/D22348 Notes: svn path=/head/; revision=354895
* Define wrapper functions vm_map_entry_{succ,pred} to act as wrappersDoug Moore2019-11-131-1/+2
| | | | | | | | | | | | | | | around entry->{next,prev} when those are used for ordered list traversal, and use those wrapper functions everywhere. Where the next field is used for maintaining a stack of deferred operations, #define defer_next to make that different usage clearer, and then use the 'right' pointer instead of 'next' for that purpose. Approved by: markj Tested by: pho (as part of a larger patch) Differential Revision: https://reviews.freebsd.org/D22347 Notes: svn path=/head/; revision=354684
* Define macro VM_MAP_ENTRY_FOREACH for enumerating the entries in a vm_map.Doug Moore2019-10-081-1/+1
| | | | | | | | | | | | | | | | | In case the implementation ever changes from using a chain of next pointers, then changing the macro definition will be necessary, but changing all the files that iterate over vm_map entries will not. Drop a counter in vm_object.c that would have an effect only if the vm_map entry count was wrong. Discussed with: alc Reviewed by: markj Tested by: pho (earlier version) Differential Revision: https://reviews.freebsd.org/D21882 Notes: svn path=/head/; revision=353298
* vm_map_simplify_entry considers merging an entry with its twoDoug Moore2019-08-251-1/+1
| | | | | | | | | | | | | | | | | neighbors, and is used in a way so that if entries a and b cannot be merged, we consider them twice, first not-merging a with its successor b, and then not-merging b with its predecessor a. This change replaces vm_map_simplify_entry with vm_map_try_merge_entries, which compares two adjacent entries only, and uses it to avoid duplicated merge-checks. Tested by: pho Reviewed by: alc Approved by: markj (implicit) Differential Revision: https://reviews.freebsd.org/D20814 Notes: svn path=/head/; revision=351476
* When MAC is enabled and a policy module is loaded, don't unconditionallyRobert Watson2019-05-033-26/+51
| | | | | | | | | | | | | | | | | | lock mac_ifnet_mtx, which protects labels on struct ifnet, unless at least one policy is actively using labels on ifnets. This avoids a global mutex acquire in certain fast paths -- most noticeably ifnet transmit. This was previously invisible by default, as no MAC policies were loaded by default, but recently became visible due to mac_ntpd being enabled by default. gallatin@ reports a reduction in PPS overhead from 300% to 2.2% with this change. We will want to explore further MAC Framework optimisation to reduce overhead further, but this brings things more back into the world of the sane. MFC after: 3 days Notes: svn path=/head/; revision=347058
* mac: reduce pessimization of sdt probe handlingMateusz Guzik2018-12-191-12/+16
| | | | | | | | | | | Prior to the change the code would branch on return value and then check if probes are enabled. Since vast majority of the time they are not, this is clearly wasteful. Check probes first. Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=342247
* Remove unused argument to priv_check_cred.Mateusz Guzik2018-12-111-1/+1
| | | | | | | | | | | | | | | | Patch mostly generated with cocinnelle: @@ expression E1,E2; @@ - priv_check_cred(E1,E2,0) + priv_check_cred(E1,E2) Sponsored by: The FreeBSD Foundation Notes: svn path=/head/; revision=341827
* Require that MAC label buffers be able to store a non-empty string.Mark Johnston2018-08-011-1/+3
| | | | | | | | | | | | | | | The buffer size may be used to initialize an sbuf in MAC_POLICY_EXTERNALIZE, and without this constraint it's possible to trigger an assertion failure in the sbuf code. With INVARIANTS disabled, the first attempt to write to the sbuf will fail. Reported by: pho Reviewed by: delphij MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D16527 Notes: svn path=/head/; revision=337031
* Use an accessor function to access ifr_data.Brooks Davis2018-03-301-2/+2
| | | | | | | | | | | | | | | | This fixes 32-bit compat (no ioctl command defintions are required as struct ifreq is the same size). This is believed to be sufficent to fully support ifconfig on 32-bit systems. Reviewed by: kib Obtained from: CheriBSD MFC after: 1 week Relnotes: yes Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14900 Notes: svn path=/head/; revision=331797
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-14 22:18:42 +0000