BSD Commit Log Search

bhyve: style, add comma to the last line of designated initializer

(cherry picked from commit 299bb57d9b71be2b033a92033268d8b1c732e4fe)

iommu_gas_map_region(): add comment explaining the ma array shift

(cherry picked from commit 45f70f98fc55b753b1e7a7374b4a061aa1f27392)

igc(4): Fix attach for I226-K and LMVP devices

Summary:
The device IDs for these were in the driver's list of PCI ids to attach
to, but igc_set_mac_type() had never been setup to set the correct mac
type for these devices. Fix this by adding these IDs to the switch block
in order for them to be recognized by the driver instead of returning an
error.

This fixes the igc(4) attach for the I226-K LOM on the ASRock Z790
PG-ITX/TB4 motherboard, allowing it to be recognized and used.

Signed-off-by: Eric Joyner <erj at FreeBSD.org>

Reviewed by:    kbowling@
Relnotes:       yes
Differential Revision: https://reviews.freebsd.org/D49147

(cherry picked from commit 7ee310c80ea7b336972f53cc48b8c3d03029941e)

igc(4): Fix attach for I226-K and LMVP devices

Summary:
The device IDs for these were in the driver's list of PCI ids to attach
to, but igc_set_mac_type() had never been setup to set the correct mac
type for these devices. Fix this by adding these IDs to the switch block
in order for them to be recognized by the driver instead of returning an
error.

This fixes the igc(4) attach for the I226-K LOM on the ASRock Z790
PG-ITX/TB4 motherboard, allowing it to be recognized and used.

Signed-off-by: Eric Joyner <erj at FreeBSD.org>

Reviewed by:    kbowling@
Relnotes:       yes
Differential Revision: https://reviews.freebsd.org/D49147

(cherry picked from commit 7ee310c80ea7b336972f53cc48b8c3d03029941e)

mac_do(4): Revamp manual page after MAC/do updates

The new manual page in particular describes MAC/do's new rules syntax
and the jail support, as well as security considerations explaining the
overall design and how to leverage it in the most secure fashion.

Reviewed by:    bapt, otis, Alexander Ziaee <concussious at runbox.com> (in part)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D48153

(cherry picked from commit bc201841d13928c2a088fb07ac0a010b36eafa13)

mac(4): Mention mac_do(4)

Mention also mac_do(4) in the mac(4) manual page.

Reviewed by:    bapt
Differential Revision: https://reviews.freebsd.org/D48255

(cherry picked from commit 4c0435d919b1059a449d97d74abc251c6f526588)

setcred(2): Add manual page

Reviewed by:    Alexander Ziaee <concussious at runbox.com>
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D48063

(cherry picked from commit b6f4027ad9a2ede69a7ec11137cc4ea69ec2f0a0)

MAC/do: Apply a rule on real UID/GID instead of effective ones

We intend MAC/do to authorize transitions based on the "real" identity
information of the calling process, rather than transiently-acquired
effective IDs.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47845

(cherry picked from commit de701f9bdbe0ede691a0439d1c469082b94fe234)

MAC/do: Fix a compilation warning about an unused function

grant_supplementary_group_from_flags() had been used in previous
versions of the recent changes, but recently has not been needed
anymore.  It has been kept around just in case deliberately, by analogy
with grant_primary_group_from_flags() (this one still being used).

(cherry picked from commit f1ddb6fb8c4d051a205dae3a848776c9d56f86ff)

MAC/do: Convert internal TAILQs to STAILQs

We only browse these forward and never need to remove arbitrary elements
from them.

No functional change (intended).

Reviewed by:    bapt, emaste
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47624

(cherry picked from commit c7fc71c6af0761f81ecafdb281dd43a081b3b22f)

MAC/do: Update copyright

Approved by:    emaste (mentor)
Sponsored by:   The FreeBSD Foundation

(cherry picked from commit e94684b3e0d966f755f785e4908317bd6bdd2ea0)

mdo(1): Use setcred() to change credentials

As this is the only system call that MAC/do currently supports, and the
only one that really can be for transitions involving simultaneous
changes of user and group IDs.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47621

(cherry picked from commit e395e354823b690ba19ecc8e3688bacec6f67ad3)

MAC/do: parse_rules(): Tolerate blanks around tokens

To this end, we introduce the strsep_noblanks() function, designed to be
a drop-in replacement for strstep(), and use it in place of the latter.

We had taken care of calling strsep() even when the remaining sub-string
was not delimited (i.e., with empty string as its second argument), so
this commit only has mechanical replacements of existing calls.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47623

(cherry picked from commit 4a03b64517b3151064c52e213ebbc068ab1430d1)

MAC/do: toast_rules(): Minor simplification

Use the most common pattern to browse and delete elements of a list, as it reads quicker.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47622

(cherry picked from commit 2110eef4bf608b6c1facc57c68d02960b6d880c9)

MAC/do: Introduce rules reference counting

This is going to be used in subsequent commits to keep rules alive even
if disconnected from their jail in the meantime.  We'll indeed have to
release the prison lock between two uses (outright rejection, final
granting) where the rules must absolutely stay the same for security reasons.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47619

(cherry picked from commit 3d8d91a5b32c219c7ee47840dcacbaf8c7480267)

UPDATING: Request recompiling MAC modules because of new hooks

MAC/do: Interpret the new rules specification; Monitor setcred()

TL;DR:
Now monitor setcred() calls, and reject or grant them according to the
new rules specification.

Drop monitoring setuid() and setgroups().  As previously explained in
the commit introducing the setcred() system call, MAC/do must know the
entire new credentials while the old ones are still available to be able
to approve or reject the requested changes.  To this end, the chosen
approach was to introduce a new system call, setcred(), instead of
modifying existing ones to be able to participate in a "prepare than
commit"-like protocol.

******

The MAC framework typically calls several hooks of its registered
policies as part of the privilege checking/granting process.  Each
system call calls some dedicated hook early, to which it usually passes

    [112 lines not shown]

New setcred() system call and associated MAC hooks

This new system call allows to set all necessary credentials of
a process in one go: Effective, real and saved UIDs, effective, real and
saved GIDs, supplementary groups and the MAC label.  Its advantage over
standard credential-setting system calls (such as setuid(), seteuid(),
etc.) is that it enables MAC modules, such as MAC/do, to restrict the
set of credentials some process may gain in a fine-grained manner.

Traditionally, credential changes rely on setuid binaries that call
multiple credential system calls and in a specific order (setuid() must
be last, so as to remain root for all other credential-setting calls,
which would otherwise fail with insufficient privileges).  This
piecewise approach causes the process to transiently hold credentials
that are neither the original nor the final ones.  For the kernel to
enforce that only certain transitions of credentials are allowed, either
these possibly non-compliant transient states have to disappear (by
setting all relevant attributes in one go), or the kernel must delay
setting or checking the new credentials.  Delaying setting credentials

    [40 lines not shown]

MAC/do: Output errors when parsing rules

So that administrators can more easily know what the problem is with the
rules they are trying to set.

The new sysctl 'security.mac.do.print_parse_error' controls whether
trying to set sysctl 'security.mac.do.rules' with invalid rules triggers
printing of the error on the system console.

Setting jail parameters directlty reports an error to the calling
process thanks to the VFS options mechanism used by the jail machinery,
so is not controlled by the new sysctl setting.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47617

(cherry picked from commit 87c06b7d026f2beeb3c2f695567ef72aa3a427ea)

MAC/do: Support multiple users and groups as single rule's targets

Supporting group targets is a requirement for MAC/do to be able to
enforce a limited set of valid new groups passed to setgroups().
Additionally, it must be possible for this set of groups to also depend
on the target UID, since users and groups are quite tied in UNIX (users
are automatically placed in only the groups specified through
'/etc/passwd' (primary group) and '/etc/group' (supplementary ones)).

These requirements call for a re-design of the specification of the
rules specification string and of 'struct rule'.

A rules specification string is now a list of rules separated by ';'
(instead of ',').  One rule is still composed of a "from" part and
a "to" (or "target") part, both being separated by ':' (as before).

The first part, "from", is matched against the credentials of the
process calling setuid()/setgroups().  Its specification remains
unchanged: It is a '<type>=<id>' clause, where <type> is either "uid" or

    [69 lines not shown]

MAC/do: Better parsing for IDs (strtoui_strict())

Introduce strtoui_strict(), which signals an error on overflow contrary
to the in-kernel strto*() family of functions which have no 'errno' to
set and thus do not allow callers to distinguish a genuine maximum value
on input and overflow.

It is built on top of strtoq() and the 'quad_t' type in order to achieve
this distinction and also to still support negative inputs with the
usual meaning for these functions.  See the introduced comments for more
details.

Use strtoui_strict() to read IDs instead of strtol().

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47614

(cherry picked from commit 0af43c029048e1ad2f8b140a3baf3851785c12d9)

MAC/do: Rename private OSD slot by removing 'mac_do_' prefix

This variable is static and holds the OSD slot number for jails that
MAC/do uses to store rules.

In the same vein as previous renames, simplify it by removing the
redundant prefix, as this name cannot appear in code outside of
'mac_do.c', nor in stack traces on panic.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47772

(cherry picked from commit 40a664a463bab87505c8d42816a71202e8ad7bd9)

MAC/do: Ease input/output of ID types

Have a static constant array mapping numerical ID types to their
canonical representations ('id_type_to_str').

New parse_id_type() that parses a type thanks to 'id_type_to_str' and
with a special case to accept also 'any'.

Have parse_rule_element() use parse_id_type().  A later commit will add
a second call to the latter for the destination ID.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47615

(cherry picked from commit 65766063f85d8b8fe8b24a50250a12a122974c26)

MAC/do: 'struct rule': IDs and types as 'u_int', rename fields

This is in preparation for introducing a common conversion function for
IDs and to simplify code a bit by removing the from-IDs union and not
having to introduce a new one for to-IDs in a later commit.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47613

(cherry picked from commit 6aadc7b2ee055fba58984fec715b6e2a754f9d3e)

MAC/do: parse_rule_element(): Bug in parsing the origin ID

The ID field was allowed to be empty, which would be then parsed as 0 by
strtol().  There remains bugs in this function, where parsing for from-
or to- IDs accepts spaces and produces 0, but this will conveniently be
fixed in a later commit introducing strtoui_strict().

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47612

(cherry picked from commit fa4352b74580832d7b501d34d09a564438a82c3d)

MAC/do: jail_check()/jail_set(): Revamp

Handle JAIL_SYS_DISABLE the same as JAIL_SYS_NEW with an empty rules
specification, coherently with jail_get().  Also accept JAIL_SYS_DISABLE
in "mac.do" without "mac.do.rules" being specified.

The default value for "mac.do", if not passed explicitly, is either
JAIL_SYS_NEW if "mac.do.rules" is present and non-empty, or
JAIL_SYS_DISABLE if present and empty or not present.

Perform all cheap sanity checks in jail_check(), and have these
materialized as well in jail_set() under INVARIANTS.  Cheap checks are
type and coherency checks between the values of "mac.do" and
"mac.do.rules".  They don't include parsing the "mac.do.rules" string
but just checking its length (when applicable).  In a nutshell,
JAIL_SYS_DISABLE and JAIL_SYS_INHERIT are allowed iff "mac.do.rules"
isn't specified or is with an empty string, and JAIL_SYS_NEW is allowed
iff "mac.do.rules" is specified (the latter may be empty, in which case
this is equivalent to JAIL_SYS_DISABLE).

    [13 lines not shown]

MAC/do: parse_rule_element(): Style, more clarity

Add newlines to separate logical blocks.  Remove braces around 'if's
non-compound substatements.

No functional change (intended).

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47611

(cherry picked from commit e4ce30f8da612db96410b66cccf9fc12ccce282a)

MAC/do: Sysctl knobs/jail parameters under MAC's common nodes

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47608

(cherry picked from commit f3a06ced25681b6da40c652203f882ba18be227d)

MAC/do: Re-order jail methods more logically, rename

No functional change intended.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47606

(cherry picked from commit 2b2c19b7f697cc88d4da3e8e13051139cd0a4f96)

MAC/do: Prefix internal functions used as hooks/callbacks

So that we immediately know whether a kernel stack involves MAC/do.

Reviewed by:    bapt
Approved by:    markj (mentor)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D47607

(cherry picked from commit 11ba1f2fe2d4e151ffc0a66d03a0691a7b8d2866)