Date: Mon, 11 Dec 2006 21:46:36 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 111493 for review Message-ID: <200612112146.kBBLkaZO097834@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=111493 Change 111493 by millert@millert_g5tower on 2006/12/11 21:46:25 Rip out base policy support; it doesn't really add security. The only real way to guarantee that a module is loaded is to link it statically. Affected files ... .. //depot/projects/trustedbsd/sedarwin8/Makeconfig.in#3 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#31 edit .. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#34 edit .. //depot/projects/trustedbsd/sedarwin8/policies/Makefile#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/Makeconfig.in#3 (text+ko) ==== @@ -1,6 +1,6 @@ # List the security modules you want to use -SECURITY_MODULES ?= basetest sedarwin +SECURITY_MODULES ?= sedarwin # # You shouldn't have to edit anything else ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#31 (text+ko) ==== @@ -148,13 +148,6 @@ */ extern zone_t mac_audit_data_zone; -/* - * mac_static_base_mpc holds a pointer to the single instance of the base - * policy MAC configuration structure. This pointer must be set at boot, - * before the BSD init function is called. - */ -struct mac_policy_conf *mac_static_base_mpc = NULL; - /* * mac_policy_list holds the list of policy modules. Modules with a * handle lower than staticmax are considered "static" and cannot be @@ -438,11 +431,6 @@ struct mac_policy_conf *mpc; u_int i; - if (mac_static_base_mpc == NULL) - panic("Base MAC policy is not registered"); - else - mac_static_base_mpc->mpc_ops->mpo_base_notify_finalize(); - mac_audit_data_zone = zinit(MAC_AUDIT_DATA_LIMIT, AQ_HIWATER * MAC_AUDIT_DATA_LIMIT, 8192, "mac_audit_data_zone"); @@ -644,40 +632,6 @@ #endif } -static void -mac_base_policy_register(struct mac_policy_conf *mpc) -{ - int error; - u_int i; - struct mac_policy_conf *lmpc; - - if (mac_static_base_mpc != NULL) - panic("Attempt to load second MAC base policy"); - - mac_static_base_mpc = mpc; - - /* - * Tell the base policy about the static already-loaded modules. - * This code is executed at boot time. The base policy is - * responsible for halting the system, if desired. Otherwise - * the previously loaded module will stay in place. - */ - for (i = 0; i < mac_policy_list.staticmax; i++) { - lmpc = mac_get_mpc(i); - if (lmpc == NULL) - continue; - /* For now we'll check every policy regardless of dynamic flag. - If by some freak occurance a dynamic policy is loaded at - this point it needs to be approved as well. - */ - error = - mac_static_base_mpc->mpc_ops->mpo_base_check_module_load(lmpc); - if (error != 0) - printf("Module %s is not approved for loading.\n", - lmpc->mpc_name); - } -} - static __inline void mac_policy_fixup_mmd_list(struct mac_module_data *new) { @@ -751,17 +705,6 @@ mac_policy_grab_exclusive(); } - /* Call the base module to approve the loading of this MAC module. */ - if (mac_static_base_mpc != NULL) { - error = - mac_static_base_mpc->mpc_ops->mpo_base_check_module_load(mpc); - if (error != 0) { - printf("Module %s is not approved for loading.\n", - mpc->mpc_name); - goto out; - } - } - if (mac_policy_list.numloaded >= mac_policy_list.max) { /* allocate new policy list array, zero new chunk */ tmac_policy_list_element = @@ -867,9 +810,6 @@ mac_policy_updateflags(); - if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_BASE_POLICY) != 0) - mac_base_policy_register(mpc); - if (mac_late) mac_policy_release_exclusive(); @@ -905,17 +845,6 @@ return (0); } - /* Call the base module to approve the unloading of this MAC module. */ - if (mac_static_base_mpc != NULL) { - error = - mac_static_base_mpc->mpc_ops->mpo_base_check_module_unload(mpc); - if (error != 0) { - printf("Module %s is not approved for unloading.\n", - mpc->mpc_name); - mac_policy_release_exclusive(); - return (EBUSY); - } - } #if 0 /* * Don't allow unloading modules with private data. ==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#34 (text+ko) ==== @@ -185,48 +185,6 @@ void *args ); /** - @brief Base Policy approve MAC module load event - @param mpc MAC policy configuration - - This function is called when a MAC policy is loaded. The Base policy - can perform a series of checks on the MAC policy, and return 0 - if the MAC policy load is approved, non-zero otherwise. In the non-zero - case, the MAC framework will not incorporate the policy, and the failure - will be logged. - - @return On success, 0, otherwise, an appropriate errno return value. -*/ -typedef int mpo_base_check_module_load_t( - struct mac_policy_conf *mpc -); -/** - @brief Base Policy approve MAC module unload event - @param mpc MAC policy configuration - - This function is called when a MAC policy is unloaded. The Base policy - can perform a series of checks on the MAC policy, and return 0 - if the MAC policy unload is approved, non-zero otherwise. In the non-zero - case, the MAC framework will not unload the policy, and the failure - will be logged. - - @return On success, 0, otherwise, an appropriate errno return value. -*/ -typedef int mpo_base_check_module_unload_t( - struct mac_policy_conf *mpc -); -/** - @brief Base Policy finalize event - - This function is called when the MAC framework is finishing its setup - during BSD subsystem initilization. The Base policy can perform a final - check on MAC policy registrations, and panic the system if so desired. - A return from this function means that the MAC framework is ready to go. - As an example, the Base policy can check a list of required - MAC policies, and if not all are present, panic. - -*/ -typedef void mpo_base_notify_finalize_t(void); -/** @brief Indicate desire to change the process label at exec time @param old Existing subject credential @param vp File being executed @@ -5028,9 +4986,6 @@ struct mac_policy_ops { mpo_audit_check_postselect_t *mpo_audit_check_postselect; mpo_audit_check_preselect_t *mpo_audit_check_preselect; - mpo_base_check_module_load_t *mpo_base_check_module_load; - mpo_base_check_module_unload_t *mpo_base_check_module_unload; - mpo_base_notify_finalize_t *mpo_base_notify_finalize; mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; mpo_cred_check_label_update_t *mpo_cred_check_label_update; mpo_cred_check_visible_t *mpo_cred_check_visible; ==== //depot/projects/trustedbsd/sedarwin8/policies/Makefile#4 (text+ko) ==== @@ -1,5 +1,5 @@ -SUBDIR= basetest color console count device_access extattr_test \ - fwinteg ipctrace mls multilabel none readonly stacktrace \ +SUBDIR= color console count device_access extattr_test \ + ipctrace mls multilabel none readonly stacktrace \ stub test vanity xattr SUBDIR+= sedarwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612112146.kBBLkaZO097834>