sample 5.3 based trusted os ;-)

Ilmar S. Habibulin ilmar at watson.org
Thu Jan 20 10:29:59 GMT 2005 


On Wed, 19 Jan 2005, Robert Watson wrote:

> FYI, I've started merging the System V IPC MAC code to 6.x but haven't yet
> finished.  I'm hope to get that done in the next few weeks.  I need to
> look at ABI issues relating to merging that work to 5.x, as it requires a
> bump of the MAC Framework module version number.  My leaning is to defer a
> merge to 5.x until a few other changes are also merged to the MAC
> Framework and then merge the entire new ABI/API and provide a
> compatibility stub to get older MAC modules to work without issue.
I knew about your merging efforts, but do not understand why are you so
worried about older mac compatibility. I've never heard about people,
using MAC on FreeBSD. Maybe they keep silence? ;-)


> > - audit2 hacked (working audit)
>
> This is the slightly older BSM code in audit2 rather than the slightly
> newer (but in progress) BSM code in audit3, right?  Do you see any
> impediments or issues with moving to the newer code base, other than
> getting the necessary audit calls into the system call code as you've
> presumably done (haven't looked at your drop yet :-).  Did we ever get the
> audit3 tree exported usefully via cvsup?
There was only one impediment, that stoped me from moving
kernel-land+auditd to audit3 codebase -- i have somehow working
implementation of audit_worker and auditd interaction, with suspending and
filechanging. So i decide not to hack them once again and just simply
release the mix.
Audit3 code wasn't exported via cvsup. I've grabbed it from
perforce.freebsd.org via http. Btw, there are nothing exported via cvsup,
at least when i use cvsup10.freebsd.org server i get nothing in
trustedbsd branches. There was no changes since november 2003 imho.

> Do you have a patch for this specific change?  We've got a number of
> NFS-related MAC changes in the MAC branch that need to be cleaned up,
> fixed, and merged, so that NFS server credentials are "real" managed
> credentials, not struct cred's embedded in another data structure.
I've attached the patch. It simply adds label to the cred structure.
That's all.

> > - network packet labeling (CIPSO & IPSec)
> >
> > audit2 is working audit implementation with kernel record to bsm token
> > convertion, MAC label (slabel) support. Most syscalls are audited.
>
> I've just imported some of Apple's basic audit test tools (developed at
> McAfee Research) into the audit3 tree in
>
>   //depot/projects/trustedbsd/audit3/tools/regression/audit/test/...
>
> Those pieces have been generously made available by Apple under a BSD
> license.
>
> Robert N M Watson
>
>
-------------- next part --------------
diff -druN ./sys/nfsserver/nfs_srvsock.c /home/ilmar/trustedos/src/sys/nfsserver/nfs_srvsock.c
--- ./sys/nfsserver/nfs_srvsock.c	Sat Jul 24 06:07:09 2004
+++ /home/ilmar/trustedos/src/sys/nfsserver/nfs_srvsock.c	Tue Dec 14 14:39:48 2004
@@ -31,6 +31,7 @@
  *
  *	@(#)nfs_socket.c	8.5 (Berkeley) 3/30/95
  */
+#include "opt_mac.h"
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD: src/sys/nfsserver/nfs_srvsock.c,v 1.92 2004/07/24 02:07:09 rwatson Exp $");
@@ -44,6 +45,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
+#include <sys/mac.h>
 #include <sys/mbuf.h>
 #include <sys/mount.h>
 #include <sys/mutex.h>
@@ -369,6 +371,10 @@
 		 * 5.3-RELEASE.
 		 */
 		bzero((caddr_t)&nd->nd_cr, sizeof (struct ucred));
+#ifdef MAC
+		mac_init_cred(&nd->nd_cr);
+		mac_create_proc1(&nd->nd_cr);
+#endif
 		nd->nd_cr.cr_ref = 1;
 		nd->nd_cr.cr_uid = fxdr_unsigned(uid_t, *tl++);
 		nd->nd_cr.cr_gid = fxdr_unsigned(gid_t, *tl++);
@@ -718,6 +724,10 @@
 		if (nam) {
 			FREE(nam, M_SONAME);
 		}
+#ifdef MAC
+		if(nd->nd_cr.cr_label != NULL)
+			mac_destroy_cred(&nd->nd_cr);
+#endif
 		free((caddr_t)nd, M_NFSRVDESC);
 		return (error);
 	}
diff -druN ./sys/nfsserver/nfs_syscalls.c /home/ilmar/trustedos/src/sys/nfsserver/nfs_syscalls.c
--- ./sys/nfsserver/nfs_syscalls.c	Fri Jun 18 02:48:11 2004
+++ /home/ilmar/trustedos/src/sys/nfsserver/nfs_syscalls.c	Tue Dec 14 14:44:21 2004
@@ -390,6 +390,10 @@
 		}
 		if (error || (slp->ns_flag & SLP_VALID) == 0) {
 			if (nd) {
+#ifdef MAC
+				if(nd->nd_cr.cr_label != NULL)
+					mac_destroy_cred(&nd->nd_cr);
+#endif
 				free((caddr_t)nd, M_NFSRVDESC);
 				nd = NULL;
 			}
@@ -521,6 +525,10 @@
 			if (slp->ns_so->so_proto->pr_flags & PR_CONNREQUIRED)
 				nfs_slpunlock(slp);
 			if (error == EINTR || error == ERESTART) {
+#ifdef MAC
+				if(nd->nd_cr.cr_label != NULL)
+					mac_destroy_cred(&nd->nd_cr);
+#endif
 				free((caddr_t)nd, M_NFSRVDESC);
 				nfsrv_slpderef(slp);
 				s = splnet();
@@ -534,6 +542,10 @@
 			break;
 		    };
 		    if (nd) {
+#ifdef MAC
+			if(nd->nd_cr.cr_label != NULL)
+				mac_destroy_cred(&nd->nd_cr);
+#endif
 			FREE((caddr_t)nd, M_NFSRVDESC);
 			nd = NULL;
 		    }
@@ -629,6 +641,10 @@
 		for (nwp = LIST_FIRST(&slp->ns_tq); nwp; nwp = nnwp) {
 			nnwp = LIST_NEXT(nwp, nd_tq);
 			LIST_REMOVE(nwp, nd_tq);
+#ifdef MAC
+			if(nwp->nd_cr.cr_label != NULL)
+				mac_destroy_cred(&nwp->nd_cr);
+#endif
 			free((caddr_t)nwp, M_NFSRVDESC);
 		}
 		LIST_INIT(&slp->ns_tq);

More information about the trustedbsd-discuss mailing list