From owner-trustedbsd-discuss@FreeBSD.ORG Sat Feb 11 23:09:48 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3C1D16A422 for ; Sat, 11 Feb 2006 23:09:48 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62A5743D46 for ; Sat, 11 Feb 2006 23:09:48 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 63C8446C46 for ; Sat, 11 Feb 2006 18:09:35 -0500 (EST) Date: Sat, 11 Feb 2006 23:12:39 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20060211231217.X71792@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: trustedbsd-discuss: test post X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Feb 2006 23:09:48 -0000 This is a test post to test the transition to the FreeBSD.org mailman install. Please ignore. Robert N M Watson From owner-trustedbsd-discuss@FreeBSD.ORG Thu Feb 23 22:19:49 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62C0916A420 for ; Thu, 23 Feb 2006 22:19:49 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06DFB43D6B for ; Thu, 23 Feb 2006 22:19:45 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2341F46B14 for ; Thu, 23 Feb 2006 17:19:27 -0500 (EST) Date: Thu, 23 Feb 2006 22:23:39 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20060223222257.B33959@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: TrustedBSD mailing list server update X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 22:19:49 -0000 Per earlier e-mail, the TrustedBSD Project is now using the FreeBSD Project's mailman server to host its mailing lists, which provides a web interface for subscription management, archives, etc. As of now, to manage your mailing list subscription for this mailing list, view mailing list archives, etc, you should go to the following URL: http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss Robert N M Watson From owner-trustedbsd-discuss@FreeBSD.ORG Sun Mar 5 19:14:03 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EF7116A420 for ; Sun, 5 Mar 2006 19:14:03 +0000 (GMT) (envelope-from James.Pendergrass@jhuapl.edu) Received: from aplesjustice.dom1.jhuapl.edu (APLesJustice.dom1.jhuapl.edu [128.244.198.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0DA243D46 for ; Sun, 5 Mar 2006 19:14:02 +0000 (GMT) (envelope-from James.Pendergrass@jhuapl.edu) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Sun, 5 Mar 2006 14:13:59 -0500 Message-ID: <7292F66980B8DB43BD9C4FD4E019F83614014B@aplesjustice.dom1.jhuapl.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: DSEP 20060213, SEDarwin Module Thread-Index: AcZAiPTTNfMu1AiWSsm/dmLCy9g+Ag== From: "Pendergrass, James A." To: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: DSEP 20060213, SEDarwin Module X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2006 19:14:03 -0000 Hello, I just learned of the SEDarwin project at the SELinux symposium last = week, and I thought I'd try to get involved in = development/testing/whatever is needed. I've set up a test machine and downloaded/built the DSEP 20060213 = tarball available from the SEDarwin page of the SEBSD site. =20 But the SEDarwin module won't build. There are many errors in the = sebsd.c file, mostly relating to dereferencing incomplete structures = types. It looks like a number of structs (like struct proc, and struct = mount and others) have been made opaque in the transition from 10.3.x to = 10.4.x and the MacFramework/SEDarwin code has not been updated to expose = accessors to relevant members of these structures. =20 I'm new to XNU kernel programming so this is really just a guess based = on the error messages. Can someone verify that this is indeed the = problem? Also, would it be helpful to the community for me to devote = some energy into fixing this breakage, or is someone else already on top = of it? I tried checking out the CVSup repository, but it seems woefully = out of date. In general, I would like to know what is available for me = to work on that would be of use to the rest of the community. =20 Thanks, J. Aaron Pendergrass From owner-trustedbsd-discuss@FreeBSD.ORG Sun Mar 5 20:11:23 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C96AC16A420 for ; Sun, 5 Mar 2006 20:11:23 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3990B43D45 for ; Sun, 5 Mar 2006 20:11:23 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id k25KBL4t012825; Sun, 5 Mar 2006 14:11:21 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id k25KBMWT027407; Sun, 5 Mar 2006 14:11:22 -0600 Received: from [127.0.0.1] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 5 Mar 2006 15:11:21 -0500 In-Reply-To: <7292F66980B8DB43BD9C4FD4E019F83614014B@aplesjustice.dom1.jhuapl.edu> References: <7292F66980B8DB43BD9C4FD4E019F83614014B@aplesjustice.dom1.jhuapl.edu> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <84FEF17C-1D6E-4C7D-9086-EA266BBE64B7@sparta.com> Content-Transfer-Encoding: 7bit From: Todd Miller Date: Sun, 5 Mar 2006 15:11:20 -0500 To: "Pendergrass, James A." X-Mailer: Apple Mail (2.746.2) X-OriginalArrivalTime: 05 Mar 2006 20:11:21.0765 (UTC) FILETIME=[F8A4B550:01C64090] Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: DSEP 20060213, SEDarwin Module X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2006 20:11:23 -0000 The DSEP release is tiger-based but SEDarwin is still based on Panther. The DSEP work is really separate from SEDarwin (and the SEDarwin code it contains is not current). If you download the SEDarwin release it will build, albeit on Panther only so far. We will be porting SEDarwin to Tiger in the future but there is still work to be completed securing Mach messaging first. - todd From owner-trustedbsd-discuss@FreeBSD.ORG Sun Mar 5 22:24:04 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5488116A420 for ; Sun, 5 Mar 2006 22:24:04 +0000 (GMT) (envelope-from James.Pendergrass@jhuapl.edu) Received: from aplesjustice.dom1.jhuapl.edu (APLesJustice.dom1.jhuapl.edu [128.244.198.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2F4C43D45 for ; Sun, 5 Mar 2006 22:24:03 +0000 (GMT) (envelope-from James.Pendergrass@jhuapl.edu) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Sun, 5 Mar 2006 17:23:23 -0500 Message-ID: <7292F66980B8DB43BD9C4FD4E019F83614014D@aplesjustice.dom1.jhuapl.edu> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: DSEP 20060213, SEDarwin Module Thread-Index: AcZAkQEVtFd6VUnUQ8eE2QYDbZOWYQAEmlb5 References: <7292F66980B8DB43BD9C4FD4E019F83614014B@aplesjustice.dom1.jhuapl.edu> <84FEF17C-1D6E-4C7D-9086-EA266BBE64B7@sparta.com> From: "Pendergrass, James A." To: "Todd Miller" Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: trustedbsd-discuss@FreeBSD.org Subject: RE: DSEP 20060213, SEDarwin Module X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2006 22:24:04 -0000 Thanks for the clarification. =20 Is there anything in particular that could use another set of eyes? - aaron -----Original Message----- From: Todd Miller [mailto:Todd.Miller@sparta.com] Sent: Sun 3/5/2006 3:11 PM To: Pendergrass, James A. Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: DSEP 20060213, SEDarwin Module =20 The DSEP release is tiger-based but SEDarwin is still based on =20 Panther. The DSEP work is really separate from SEDarwin (and the =20 SEDarwin code it contains is not current). If you download the =20 SEDarwin release it will build, albeit on Panther only so far. We =20 will be porting SEDarwin to Tiger in the future but there is still =20 work to be completed securing Mach messaging first. - todd From owner-trustedbsd-discuss@FreeBSD.ORG Mon Mar 6 19:10:13 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E865516A420 for ; Mon, 6 Mar 2006 19:10:13 +0000 (GMT) (envelope-from alexbarclay@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8520B43D46 for ; Mon, 6 Mar 2006 19:10:13 +0000 (GMT) (envelope-from alexbarclay@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so649280wri for ; Mon, 06 Mar 2006 11:10:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=cjkOAKLsl+Xx5S2ZUlAohmrN5rXgt/7pOC6vzlempi0UHoBsLFoeYa/sIjtBn3oMXd/K7cPg6wOv8m1OFm+Z9e1TtZRuHAvZ+hZtN00CQrySNnZs2Ed5ZeSu3GLwnih6UqwffsO0kLUJAsuELDwlSZZudkqLBca+orsMkyY//d0= Received: by 10.54.158.11 with SMTP id g11mr3401117wre; Mon, 06 Mar 2006 11:10:12 -0800 (PST) Received: by 10.54.104.3 with HTTP; Mon, 6 Mar 2006 11:10:12 -0800 (PST) Message-ID: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> Date: Mon, 6 Mar 2006 13:10:12 -0600 From: "Alex Barclay" Sender: alexbarclay@gmail.com To: trustedbsd-discuss@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Securing Mach IPC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 19:10:14 -0000 Understand that Sparta is working on securing mach IPC. But with the volume of messages passed, are their plans to log/audit each mach IPC message. I haven't been able to find out what if anything DTOS did in that regard. -- Alex Barclay University of Tulsa Center for Information Security Enterprise Research Group From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 7 17:01:49 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7D616A420 for ; Tue, 7 Mar 2006 17:01:49 +0000 (GMT) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (vlsi00.si.noda.tus.ac.jp [133.31.130.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B30843D46 for ; Tue, 7 Mar 2006 17:01:48 +0000 (GMT) (envelope-from hrs@FreeBSD.org) Received: from delta.allbsd.org (p5180-ipbf304funabasi.chiba.ocn.ne.jp [125.170.156.180]) (authenticated bits=128) by mail.allbsd.org (8.13.4/8.13.4) with ESMTP id k27H1YQf023906 for ; Wed, 8 Mar 2006 02:01:47 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (alph.allbsd.org [192.168.0.10]) by delta.allbsd.org (8.13.4/8.13.4) with ESMTP id k27H1ECB006143 for ; Wed, 8 Mar 2006 02:01:14 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Wed, 08 Mar 2006 01:58:44 +0900 (JST) Message-Id: <20060308.015844.98687889.hrs@allbsd.org> To: trustedbsd-discuss@FreeBSD.org From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 4.2.52 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on gatekeeper.allbsd.org X-Virus-Status: Clean Subject: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 17:01:49 -0000 ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Wed_Mar__8_01_58_44_2006_494)--" Content-Transfer-Encoding: 7bit ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, After testing some MAC policy modules on 6.0R, I have the following questions about the implementation and the startup script: 1) default value of security.mac.bsdextended.firstmatch_enabled mac_bsdextended(4) says the following: | security.mac.bsdextended.firstmatch_enabled | Toggle between the old all rules match functionality and the new | first rule matches functionality. This is enabled by default. however, the corresponding implementation is as follows: |static int |mac_bsdextended_firstmatch_enabled; |SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, | CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, | "Disable/enable match first rule functionality"); Which is intended? If the manual page is correct, the attached patch (the first one) is needed, I think. 2) rc.bsdextended Currently /etc/rc.bsdextended is used as the default rules when ugidfw_enable=yes in /etc/rc.conf, but this configuration is not so generic and problematic in some cases. For example, it includes rules for applications not in the base system, and especially "awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd" line does not work on systems which have a lot of users because the current ugidfw supports 256 slots only. Also, I am wondering why the "${CMD} add subject uid 0 object not uid 0 mode arxws;" is included. Does the mac_bsdextended module support rules for UID 0? I guess that this is still work-in-progress, but since it has been merged into the RELENG_6 branch, I think we have to polish the default script. So, I am just wondering: a) What is the master plan of rc.d scripts for MAC policy modules? I think it is better to have /etc/rc.d/mac_bsdextended, and knobs of $mac_bsdextended and $mac_bsdextended_script in rc.conf for more consistency, but we have /etc/rc.d/ugidfw, $ugidfw_enable, and $bsdextended_script. If there are some policies on that already discussed, I am interested in them. b) Is the current content of /etc/rc.bsdextended reasonable as an example? I think it is too aggressive and most of the rules should be commented out by default. c) Does mac_bsdextended really support rules for UID 0? The current /etc/rc.bsdextended script includes such rules, but the implementation does not support them as far as I know. Are they going to be supported in the near future (or just a mistake)? 3) src/share/security/* not installed setfsmac(8) mentions /usr/share/security/lomac-policy.contexts in the FILES section, but the actual file is not installed. That file is src/share/security/lomac-policy.contexts in the source tree. Are there any reason not to hook it up to the build? 4) mount_ufs(8) multilabel option mount_ufs(8) has multilabel option for the MAC label, but it seems broken ("tunefs -l enable" works, though). I am not sure the attached patch (the second one) is correct, but it should fix this. I am still not familiar with development of Trusted BSD feature, and maybe the above problems are solved already somewhere else or just I get wrong ideas, but if anyone knows the details or if I am missing something, please let me know. Thanks. -- | Hiroki SATO ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mac_bsdextended.c.diff" Index: mac_bsdextended/mac_bsdextended.c =================================================================== RCS file: /home/ncvs/src/sys/security/mac_bsdextended/mac_bsdextended.c,v retrieving revision 1.25.2.2 diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.25.2.2 mac_bsdextended.c --- mac_bsdextended/mac_bsdextended.c 24 Jan 2006 04:11:45 -0000 1.25.2.2 +++ mac_bsdextended/mac_bsdextended.c 25 Feb 2006 14:23:47 -0000 @@ -112,9 +112,9 @@ * functionality (all rules match). */ static int -mac_bsdextended_firstmatch_enabled; +mac_bsdextended_firstmatch_enabled = 1; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, - CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, + CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 0, "Disable/enable match first rule functionality"); static int ----Next_Part(Wed_Mar__8_01_58_44_2006_494)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="mount.h.diff" Index: src/sys/sys/mount.h =================================================================== RCS file: /home/ncvs/src/sys/sys/mount.h,v retrieving revision 1.197.2.2 diff -d -u -I\$OpenBSD:.*\$ -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.197.2.2 mount.h --- src/sys/sys/mount.h 14 Jan 2006 01:18:02 -0000 1.197.2.2 +++ src/sys/sys/mount.h 7 Mar 2006 16:22:31 -0000 @@ -251,7 +251,7 @@ MNT_NOATIME | \ MNT_NOSYMFOLLOW | MNT_IGNORE | MNT_JAILDEVFS | \ MNT_NOCLUSTERR | MNT_NOCLUSTERW | MNT_SUIDDIR | \ - MNT_ACLS | MNT_USER) + MNT_ACLS | MNT_USER | MNT_MULTILABEL) /* * External filesystem command modifier flags. ----Next_Part(Wed_Mar__8_01_58_44_2006_494)---- ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBEDbvETyzT2CeTzy0RAoZgAJ9gxCtW0JusixiRHE8j9Ma+HxSU3QCfQhMT uLW5xcrW9x3+ya7KkSKACRg= =7IoH -----END PGP SIGNATURE----- ----Security_Multipart0(Wed_Mar__8_01_58_44_2006_492)---- From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 7 17:14:05 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B1AC16A420; Tue, 7 Mar 2006 17:14:05 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37D6F43D46; Tue, 7 Mar 2006 17:14:04 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (ip70-177-190-239.dc.dc.cox.net [70.177.190.239]) (authenticated bits=0) by pittgoth.com (8.13.4/8.13.4) with ESMTP id k27I4WRR004072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Mar 2006 13:04:33 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Tue, 7 Mar 2006 12:14:01 -0500 From: Tom Rhodes To: Hiroki Sato Message-Id: <20060307121401.3bb2bcec.trhodes@FreeBSD.org> In-Reply-To: <20060308.015844.98687889.hrs@allbsd.org> References: <20060308.015844.98687889.hrs@allbsd.org> X-Mailer: Sylpheed version 1.0.5 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 17:14:05 -0000 On Wed, 08 Mar 2006 01:58:44 +0900 (JST) Hiroki Sato wrote: > Hi, > > After testing some MAC policy modules on 6.0R, I have the following > questions about the implementation and the startup script: > > 1) default value of security.mac.bsdextended.firstmatch_enabled > > mac_bsdextended(4) says the following: > > | security.mac.bsdextended.firstmatch_enabled > | Toggle between the old all rules match functionality and the new > | first rule matches functionality. This is enabled by default. > > however, the corresponding implementation is as follows: > > |static int > |mac_bsdextended_firstmatch_enabled; > |SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled, > | CTLFLAG_RW, &mac_bsdextended_firstmatch_enabled, 1, > | "Disable/enable match first rule functionality"); > > Which is intended? If the manual page is correct, the attached patch (the > first one) is needed, I think. > > 2) rc.bsdextended > > Currently /etc/rc.bsdextended is used as the default rules when > ugidfw_enable=yes in /etc/rc.conf, but this configuration is > not so generic and problematic in some cases. For example, > it includes rules for applications not in the base system, and > especially "awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' > /etc/passwd" line does not work on systems which have a lot of > users because the current ugidfw supports 256 slots only. > Also, I am wondering why the "${CMD} add subject uid 0 object not > uid 0 mode arxws;" is included. Does the mac_bsdextended module > support rules for UID 0? > > I guess that this is still work-in-progress, but since it has > been merged into the RELENG_6 branch, I think we have to polish > the default script. So, I am just wondering: > > a) What is the master plan of rc.d scripts for MAC policy > modules? I think it is better to have /etc/rc.d/mac_bsdextended, > and knobs of $mac_bsdextended and $mac_bsdextended_script in rc.conf > for more consistency, but we have /etc/rc.d/ugidfw, $ugidfw_enable, > and $bsdextended_script. If there are some policies on > that already discussed, I am interested in them. > b) Is the current content of /etc/rc.bsdextended reasonable > as an example? I think it is too aggressive and most of the > rules should be commented out by default. > c) Does mac_bsdextended really support rules for UID 0? The current > /etc/rc.bsdextended script includes such rules, but the implementation > does not support them as far as I know. Are they going to be supported > in the near future (or just a mistake)? The startup was a quickie thing I added because, well, we were using it where I worked at the time. In all honesty, that script needs a clean up, and I have a test machine set up at work for doing this. Unfortunately that script has rotted, 256 slots does not help, etc etc. If you have any tests for it, I'll gladly play at work this week/weekend. > > 3) src/share/security/* not installed > > setfsmac(8) mentions /usr/share/security/lomac-policy.contexts in > the FILES section, but the actual file is not installed. > That file is src/share/security/lomac-policy.contexts in the source > tree. Are there any reason not to hook it up to the build? I brought this up with Robert over a year and I think the discussion just died. > > 4) mount_ufs(8) multilabel option > > mount_ufs(8) has multilabel option for the MAC label, but it > seems broken ("tunefs -l enable" works, though). I am not sure > the attached patch (the second one) is correct, but it should > fix this. > > I am still not familiar with development of Trusted BSD feature, > and maybe the above problems are solved already somewhere else or > just I get wrong ideas, but if anyone knows the details or if > I am missing something, please let me know. Thanks. I've also noticed some other issues. A freshly installed 6.0 does not allow me to set biba labels, even with multilabel set. Still looking into that, it could just be a simple configuration error; however, the system has had no additional configuration other than 'options MAC' added and installed. -- Tom Rhodes From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 7 20:41:25 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 963A216A420 for ; Tue, 7 Mar 2006 20:41:25 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04C5E43D48 for ; Tue, 7 Mar 2006 20:41:24 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id k27KfNnp013642; Tue, 7 Mar 2006 14:41:23 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id k27KfNMf023282; Tue, 7 Mar 2006 14:41:23 -0600 Received: from [127.0.0.1] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Mar 2006 15:41:22 -0500 In-Reply-To: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> References: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <425FB92C-B2E8-4945-9C6D-E953935DBAED@sparta.com> Content-Transfer-Encoding: 7bit From: Todd Miller Date: Tue, 7 Mar 2006 15:41:21 -0500 To: Alex Barclay X-Mailer: Apple Mail (2.746.2) X-OriginalArrivalTime: 07 Mar 2006 20:41:22.0450 (UTC) FILETIME=[7EC2EF20:01C64227] Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Securing Mach IPC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 20:41:25 -0000 On Mar 6, 2006, at 2:10 PM, Alex Barclay wrote: > Understand that Sparta is working on securing mach IPC. But with the > volume of messages passed, are their plans to log/audit each mach IPC > message. I haven't been able to find out what if anything DTOS did in > that regard. Currently only the SEDarwin module secures Mach IPC. We do a security check for each message based on the sender and the destination port (themessages themselves are not labeled). We mediate send and receive as well as port right transfers. We haven't measured the performance hit yet but it doesn't seem too bad. The avc cache in Flask seems to work fairly well at reducing the access decision overhead. I develop (well, compile anyway) on a system with the SEDarwin module enabled and I don't really notice it... Now, if you tried to log all mach messages you would certainly take an additional performance hit. By default we only log denials. - todd From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 9 14:08:49 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF7F016A420; Thu, 9 Mar 2006 14:08:49 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36BE543D48; Thu, 9 Mar 2006 14:08:49 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id A6BE846BCC; Thu, 9 Mar 2006 09:08:26 -0500 (EST) Date: Thu, 9 Mar 2006 14:09:09 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Hiroki Sato In-Reply-To: <20060308.015844.98687889.hrs@allbsd.org> Message-ID: <20060309140712.L13591@fledge.watson.org> References: <20060308.015844.98687889.hrs@allbsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2006 14:08:49 -0000 On Wed, 8 Mar 2006, Hiroki Sato wrote: > 4) mount_ufs(8) multilabel option > > mount_ufs(8) has multilabel option for the MAC label, but it > seems broken ("tunefs -l enable" works, though). I am not sure > the attached patch (the second one) is correct, but it should > fix this. It's been a while since I've looked at this code, and have not had a chance to test your patch as yet. The desired behavior is that mount be able to report that multilabel is set on the file system, and request that it be set when mounting the file system, but that the flag cannot be changed while running. The cache model on vnode labels basically means we assume the underlying label storage won't change except through the supported MAC APIs, and the mechanisms are not in place to walk the current vnode list to re-synchronize if the backing store changes (i.e., is enabled). So as long as your patch doesn't add the ability to modify the flag at run-time, it sounds good to me. In principle the kernel shouldn't allow it regardless of what mount requests, of course. Robert N M Watson From owner-trustedbsd-discuss@FreeBSD.ORG Sat Mar 11 01:59:24 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 427FC16A4DD for ; Sat, 11 Mar 2006 01:59:05 +0000 (GMT) (envelope-from Thomas.Sparrevohn@btinternet.com) Received: from smtp809.mail.ukl.yahoo.com (smtp809.mail.ukl.yahoo.com [217.12.12.199]) by mx1.FreeBSD.org (Postfix) with SMTP id 515804F729 for ; Fri, 10 Mar 2006 23:20:49 +0000 (GMT) (envelope-from Thomas.Sparrevohn@btinternet.com) Received: (qmail 8712 invoked from network); 10 Mar 2006 23:20:43 -0000 Received: from unknown (HELO w2fzz0vc01.aah-go-on.com) (thomas.sparrevohn@btinternet.com@86.137.138.129 with plain) by smtp809.mail.ukl.yahoo.com with SMTP; 10 Mar 2006 23:20:43 -0000 From: Thomas Sparrevohn To: trustedbsd-discuss@freebsd.org User-Agent: KMail/1.9.1 References: <20060308.015844.98687889.hrs@allbsd.org> <20060309140712.L13591@fledge.watson.org> In-Reply-To: <20060309140712.L13591@fledge.watson.org> MIME-Version: 1.0 Content-Disposition: inline Date: Fri, 10 Mar 2006 23:20:41 +0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200603102320.42468.Thomas.Sparrevohn@btinternet.com> Cc: Subject: Re: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Thomas.Sparrevohn@btinternet.com List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 01:59:24 -0000 On Thursday 09 March 2006 14:09, Robert Watson wrote: > On Wed, 8 Mar 2006, Hiroki Sato wrote: > > 4) mount_ufs(8) multilabel option > > > > mount_ufs(8) has multilabel option for the MAC label, but it > > seems broken ("tunefs -l enable" works, though). I am not sure > > the attached patch (the second one) is correct, but it should > > fix this. > Just for the record the "mutilabel" option in fstab works in 7.0 - maybe it was missed in one of the MFC? > It's been a while since I've looked at this code, and have not had a chance > to test your patch as yet. The desired behavior is that mount be able to > report that multilabel is set on the file system, and request that it be > set when mounting the file system, but that the flag cannot be changed > while running. The cache model on vnode labels basically means we assume > the underlying label storage won't change except through the supported MAC > APIs, and the mechanisms are not in place to walk the current vnode list to > re-synchronize if the backing store changes (i.e., is enabled). So as long > as your patch doesn't add the ability to modify the flag at run-time, it > sounds good to me. In principle the kernel shouldn't allow it regardless > of what mount requests, of course. > > Robert N M Watson > _______________________________________________ > trustedbsd-discuss@FreeBSD.org mailing list > http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss > To unsubscribe, send any mail to > "trustedbsd-discuss-unsubscribe@FreeBSD.org" From owner-trustedbsd-discuss@FreeBSD.ORG Sat Mar 11 02:11:27 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8FBF16AA7A for ; Sat, 11 Mar 2006 02:11:26 +0000 (GMT) (envelope-from Thomas.Sparrevohn@btinternet.com) Received: from smtp809.mail.ukl.yahoo.com (smtp809.mail.ukl.yahoo.com [217.12.12.199]) by mx1.FreeBSD.org (Postfix) with SMTP id 056D745E62 for ; Fri, 10 Mar 2006 23:20:48 +0000 (GMT) (envelope-from Thomas.Sparrevohn@btinternet.com) Received: (qmail 8708 invoked from network); 10 Mar 2006 23:20:43 -0000 Received: from unknown (HELO w2fzz0vc01.aah-go-on.com) (thomas.sparrevohn@btinternet.com@86.137.138.129 with plain) by smtp809.mail.ukl.yahoo.com with SMTP; 10 Mar 2006 23:20:43 -0000 From: Thomas Sparrevohn To: trustedbsd-discuss@freebsd.org Date: Fri, 10 Mar 2006 23:19:35 +0000 User-Agent: KMail/1.9.1 References: <20060308.015844.98687889.hrs@allbsd.org> <20060309140712.L13591@fledge.watson.org> In-Reply-To: <20060309140712.L13591@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200603102319.36529.Thomas.Sparrevohn@btinternet.com> Cc: Subject: Re: question about MAC policy modules on 6.0 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Thomas.Sparrevohn@btinternet.com List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Mar 2006 02:11:27 -0000 On Thursday 09 March 2006 14:09, Robert Watson wrote: > On Wed, 8 Mar 2006, Hiroki Sato wrote: > > 4) mount_ufs(8) multilabel option > > > > mount_ufs(8) has multilabel option for the MAC label, but it > > seems broken ("tunefs -l enable" works, though). I am not sure > > the attached patch (the second one) is correct, but it should > > fix this. > Just for the record the "mutilabel" option in fstab works in 7.0 - maybe it was missed in one of the MFC? > It's been a while since I've looked at this code, and have not had a chance > to test your patch as yet. The desired behavior is that mount be able to > report that multilabel is set on the file system, and request that it be > set when mounting the file system, but that the flag cannot be changed > while running. The cache model on vnode labels basically means we assume > the underlying label storage won't change except through the supported MAC > APIs, and the mechanisms are not in place to walk the current vnode list to > re-synchronize if the backing store changes (i.e., is enabled). So as long > as your patch doesn't add the ability to modify the flag at run-time, it > sounds good to me. In principle the kernel shouldn't allow it regardless > of what mount requests, of course. > > Robert N M Watson > _______________________________________________ > trustedbsd-discuss@FreeBSD.org mailing list > http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss > To unsubscribe, send any mail to > "trustedbsd-discuss-unsubscribe@FreeBSD.org" From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 14 14:08:06 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47FB316A42B for ; Tue, 14 Mar 2006 14:08:06 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EF7543D6E for ; Tue, 14 Mar 2006 14:07:52 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id A794246B32; Tue, 14 Mar 2006 09:07:27 -0500 (EST) Date: Tue, 14 Mar 2006 14:08:39 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alex Barclay In-Reply-To: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> Message-ID: <20060314135929.R36625@fledge.watson.org> References: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Securing Mach IPC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 14:08:06 -0000 On Mon, 6 Mar 2006, Alex Barclay wrote: > Understand that Sparta is working on securing mach IPC. But with the volume > of messages passed, are their plans to log/audit each mach IPC message. I > haven't been able to find out what if anything DTOS did in that regard. My recollection is that DTOS used the same access vector APIs for mach message and port access control as it did for all other access control, and therefor, audit events could be generated for send (and receive) operations if enabled. Mind you, I've never actually run the DTOS code so can't confirm whether or not it actually acted that way in practice. As you observe, the issue is auditing Mach IPC is quite tricky. In the Mac OS X CAPP evaluation work, it was concluded that auditing of individual message operations was not required, as Darwin does not actually perform explicit access control checks for them (since they are capabilities). From a practical perspective, it was also entirely unclear what benefit there would be to auditing message send/receive operations, since they happen in vast volumes, and are largely opaque to the kernel. In a world with mandatory access control, the individual send and receive operations, as controlled operations, do need to be auditable, even if in practice they are not audited in most configurations. On the other hand, auditing and controlling the handing out of ports by, say, the port name server would be both interesting and useful. The trick is finding a point where the semantic information is maximized, and volume of events is minimized, and the lookup of ports to reach services meets both of these requirements. While I was at McAfee, we spent some time looking at actual usage patterns for the name server and port IPC, and found it quite interesting. To do this, we created a Darwin MAC framework module that traced the communications, and fed the results into various processing tools, including visualization using graphviz. I'm not sure the module supporting this analysis was ever shipped in an SEDarwin release, but someone at SPARTA might be able to dig it up. The SEDarwin tree may also ship with some command line tools for inspecting the current mach bootstrap name space, and sample access control for that name space in mach_init. Robert N M Watson From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 14 14:24:35 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A72E16A423; Tue, 14 Mar 2006 14:24:35 +0000 (UTC) (envelope-from Todd.Miller@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26E3F43D62; Tue, 14 Mar 2006 14:24:31 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id k2EEOTal012074; Tue, 14 Mar 2006 08:24:29 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id k2EEOTrX001909; Tue, 14 Mar 2006 08:24:30 -0600 Received: from [127.0.0.1] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 14 Mar 2006 09:24:29 -0500 In-Reply-To: <20060314135929.R36625@fledge.watson.org> References: <1f81ef870603061110o62db95e1v58812bfdf0c1b3fb@mail.gmail.com> <20060314135929.R36625@fledge.watson.org> Mime-Version: 1.0 (Apple Message framework v746.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <20E9DC0B-549E-41DA-9025-F2BDC1B7EA96@sparta.com> Content-Transfer-Encoding: 7bit From: Todd Miller Date: Tue, 14 Mar 2006 09:24:28 -0500 To: Robert Watson , Alex Barclay X-Mailer: Apple Mail (2.746.2) X-OriginalArrivalTime: 14 Mar 2006 14:24:29.0555 (UTC) FILETIME=[01513C30:01C64773] Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Securing Mach IPC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 14:24:35 -0000 On Mar 14, 2006, at 9:08 AM, Robert Watson wrote: > As you observe, the issue is auditing Mach IPC is quite tricky. In > the Mac OS X CAPP evaluation work, it was concluded that auditing > of individual message operations was not required, as Darwin does > not actually perform explicit access control checks for them (since > they are capabilities). From a practical perspective, it was also > entirely unclear what benefit there would be to auditing message > send/receive operations, since they happen in vast volumes, and are > largely opaque to the kernel. In a world with mandatory access > control, the individual send and receive operations, as controlled > operations, do need to be auditable, even if in practice they are > not audited in most configurations. In the current SEDarwin sources (in FreeBSD p4 and OpenDarwin cvs) we audit send and receive as well as port right (capability) transfers. Port right transfer is audited on both the sender and receiver end so you can specify not only the ability to send a port right but also the receiver's right to receive it. IIRC DTOS went even further and had the ability to specify that a task could hold a right but not actually use it (useful for proxies). For security-aware applications SEDarwin also supports mach message access control at the method/service level. For instance, a task may be able to send messages to the bootstrap server but the policy may only allow the task to lookup existent names and not register new ones. > On the other hand, auditing and controlling the handing out of > ports by, say, the port name server would be both interesting and > useful. The trick is finding a point where the semantic > information is maximized, and volume of events is minimized, and > the lookup of ports to reach services meets both of these > requirements. While I was at McAfee, we spent some time looking at > actual usage patterns for the name server and port IPC, and found > it quite interesting. To do this, we created a Darwin MAC > framework module that traced the communications, and fed the > results into various processing tools, including visualization > using graphviz. I'm not sure the module supporting this analysis > was ever shipped in an SEDarwin release, but someone at SPARTA > might be able to dig it up. The SEDarwin tree may also ship with > some command line tools for inspecting the current mach bootstrap > name space, and sample access control for that name space in > mach_init. Yes, the current distribution contains the ipctrace module and some scripts for feeding its output to graphviz. - todd From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 01:55:01 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E478716A401 for ; Thu, 16 Mar 2006 01:55:00 +0000 (UTC) (envelope-from john@positive-id.biz) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AC0343D55 for ; Thu, 16 Mar 2006 01:54:56 +0000 (GMT) (envelope-from john@positive-id.biz) Received: from friend (c-69-245-6-192.hsd1.tn.comcast.net [69.245.6.192]) by cyrus.watson.org (Postfix) with ESMTP id 3123446B89 for ; Wed, 15 Mar 2006 20:35:09 -0500 (EST) Message-ID: <000001c64899$ea048a00$0100007f@owner-abcab1nsf> From: "Philip" To: Date: Wed, 15 Mar 2006 20:35:32 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms040105030203020902090709" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Cheap Meds ! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 01:55:01 -0000 This is a multi-part message in MIME format. --------------ms040105030203020902090709 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms040105030203020902090709-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 02:16:59 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E448216A41F for ; Thu, 16 Mar 2006 02:16:59 +0000 (UTC) (envelope-from bluszcz@singapore.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 903AA43D45 for ; Thu, 16 Mar 2006 02:16:59 +0000 (GMT) (envelope-from bluszcz@singapore.net) Received: from 145925664 (20132183231.user.veloxzone.com.br [201.32.183.231]) by cyrus.watson.org (Postfix) with SMTP id 8194346B99 for ; Wed, 15 Mar 2006 21:16:32 -0500 (EST) Received: from singapore.net (145046872 [143292152]) by 20132183231.user.veloxzone.com.br (Qmailv1) with ESMTP id 9A47E1D62E for ; Wed, 15 Mar 2006 19:02:16 -0500 Date: Wed, 15 Mar 2006 19:02:16 -0500 From: International Mailing Services X-Mailer: The Bat! (v2.00.5) Personal X-Priority: 3 Message-ID: <3906733787.20060315190216@singapore.net> To: Trustedbsd Content-Transfer-Encoding: 7bit X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/) MIME-Version: 1.0 Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Supervisor Vacancy X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 02:17:00 -0000 Dear employee, At present we have a vacant position of the Supervisor to work in our International Mailing Services (IMS) Department. Supervisor will be responsible for managing the process of receiving and sending Euro Trade Company correspondence (goods and letters). You will have possibility to earn more money working as a Supervisor. You'll earn 1800-3000$ per month working at home. Requirements: * To be able to live and work in the USA; * To have personal computer, telephone and access to Internet; * To be able to work a few hours per day; * To be able to learn shipping systems (FedEx, UPS, Airborne, etc.); * To have experience in MS Word and MS Excel; * To be self-motivated, independent and critical thinker; * To be able to work independently and as a part of a team. Responsibilities: * To monitor the work of the shippers; * To manage procurement (IMS) department's mail by retrieving or receiving items from post office and delivery services and to process Euro Trade Company correspondence into departments all over the world for the inner need of the Company and its employees; * To receive, inspect, sort and ship required items (packages) to specific departments in/out side of US. Generally IMS department's shipments consist of electronics (computers, laptops, photo equipment). To obtain this position you should: * [1]Register at the web site and write an application letter to the Coordination manager. * [2]Read more about Supervisor position If you received this email by mistake and do not want to receive future notice from us please send a message to this address: [3]remove@eurotradeinc.com Pleaser report abuse to this address: [4]abuse@eurotradeinc.com Faithfully yours, Euro trade Inc., HR Department References 1. http://www.eurotradeinc.com/index.php?page=register 2. http://www.eurotradeinc.com/index.php?page=supervisor 3. mailto:remove@eurotradeinc.com 4. mailto:abuse@eurotradeinc.com From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 04:29:41 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4324C16A400 for ; Thu, 16 Mar 2006 04:29:41 +0000 (UTC) (envelope-from pcollins@gobiernofederal.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C04CE43D49 for ; Thu, 16 Mar 2006 04:29:40 +0000 (GMT) (envelope-from pcollins@gobiernofederal.com) Received: from freeproblem.com (unknown [211.195.118.186]) by cyrus.watson.org (Postfix) with SMTP id AC05546B4B for ; Wed, 15 Mar 2006 23:29:12 -0500 (EST) Received: from gobiernofederal.com (gobiernofederal-com-bk.mr.outblaze.com [64.62.181.92]) by freeproblem.com (Postfix) with ESMTP id 69FEB9519D for ; Wed, 15 Mar 2006 23:26:16 -0500 Message-ID: <6.0.0.22.1.20060315232616.0e24afac@gobiernofederal.com> X-Sender: Algiers@gobiernofederal-com-bk.mr.outblaze.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 15 Mar 2006 23:26:16 -0500 To: trustedbsd-discuss From: Pimenov I.A. MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=windows-1251 Content-Transfer-Encoding: quoted-printable X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: freeproblem.com) Cc: Subject: =?windows-1251?b?4iDu8uTl6yDv7iDw4OHu8uUg8SDq6+jl7fLg7Og=?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 04:29:41 -0000 =cf =d0 =c0 =ca =d2 =c8 =d7 =c5 =d1 =ca =c8 =c9 =d1 =c5 =cc =c8 =cd =c0= =d0 "CRM=2e =d3=d1=d2=c0=cd=ce=c2=cb=c5=cd=c8=c5 =c4=ce=cb=c3=ce=d1=d0=ce=d7=cd= =db=d5 =ce=d2=cd=ce=d8=c5=cd=c8=c9 =d1 =ca=cb=c8=c5=cd=d2=c0=cc=c8" 28-29 =ec=e0=f0=f2=e0 2006=a0=e3=ee=e4=e0 (=f1 10=2e00 =e4=ee 18=2e00) -=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-= =3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d-=3d= -=3d- =c0=f3=e4=e8=f2=ee=f0=e8=ff: =f0=f3=ea=ee=e2=ee=e4=e8=f2=e5=eb=e8 =ee=f2=e4= =e5=eb=ee=e2 =ef=f0=ee=e4=e0=e6, =ee=f2=e4=e5=eb=ee=e2 =ef=ee =f0=e0=e1=ee= =f2=e5 =f1 =ea=eb=e8=e5=ed=f2=e0=ec=e8, =ec=e5=ed=e5=e4=e6=e5=f0=fb =ef=ee= =ef=f0=ee=e4=e0=e6=e0=ec=2e =ce=d1=cd=ce=c2=db =d2=c5=ce=d0=c8=c8 =c8 =cf=d0=c0=ca=d2=c8=ca=c8=a0 CRM= (=f2=e5=f5=ed=ee=eb=ee=e3=e8=ff =ee=e4=ed=e8=ec =e2=e7=e3=eb=ff=e4=ee=ec= ) 1=2e =ce=f0=e3=e0=ed=e8=e7=e0=f6=e8=ff =ef=f0=ee=e4=e0=e6, =fd=f2=e0=ef=fb= =ef=f0=ee=e4=e0=e6 - =e1=eb=ee=ea-=f1=f5=e5=ec=e0 (=e0=ed=e0=eb=e8=f2=e8= =f7=e5=f1=ea=e8=e9 =fd=f2=e0=ef - =ee=f0=e3=e0=ed=e8=e7=e0=f6=e8=ff =ea=eb= =e8=e5=ed=f2=f1=ea=ee=e9 =e1=e0=e7=fb =e8 =ef=f0=ee=e4=f3=ea=f2=e0; =fd=f4= =f4=e5=ea=f2=e8=e2=ed=e0=ff =ef=f0=e5=e7=e5=ed=f2=e0=f6=e8=ff; =e7=e0=ea=eb= =fe=f7=e5=ed=e8=e5 =f1=e4=e5=eb=ea=e8; =e1=e5=f1=ea=ee=ed=e5=f7=ed=e0=ff = =f1=e4=e5=eb=ea=e0, =e2=e5=e4=e5=ed=e8=e5 =e8 =ef=e5=f0=e5=e4=e0=f7=e0 =ea= =eb=e8=e5=ed=f2=e0)=2e 2=2e =d1=f2=f0=f3=ea=f2=f3=f0=e0 =e8 =f2=e5=f5=ed=e8=ea=e0 =ef=ee=f1=f2=f0= =ee=e5=ed=e8=ff =c1=e0=e7=fb =c4=e0=ed=ed=fb=f5 (=c1=c4) (=f1=f2=f0=f3=ea= =f2=f3=f0=e0 =c1=c4, =ea=e0=f0=f2=ee=f7=ea=e0 =ea=eb=e8=e5=ed=f2=e0, =e7=e0= =ef=e8=f1=e8 =e8 =ef=ee=eb=ff, =ef=e5=f0=e5=f7=e5=ed=fc =ef=ee=eb=e5=e9; = =f2=e5=f5=ed=e8=ea=e0 =f4=ee=f0=ec=e8=f0=ee=e2=e0=ed=e8=ff =c1=c4, =e0=ea= =f2=f3=e0=eb=e8=e7=e0=f6=e8=ff =c1=c4; =e2=f5=ee=e4=ed=e0=ff =e0=ed=ea=e5= =f2=e0 =e4=eb=ff =f4=ee=f0=ec=e8=f0=ee=e2=e0=ed=e8=ff =c1=c4)=2e 3=2e =c8=f1=ef=ee=eb=fc=e7=ee=e2=e0=ed=e8=e5 =ca=eb=e8=e5=ed=f2=f1=ea=ee=e9= =e1=e0=e7=fb =e2 =f2=e5=f5=ed=ee=eb=ee=e3=e8=e8 CRM (=f2=e5=f5=ed=ee=eb=ee= =e3=e8=ff =ea=ee=ed=f2=e0=ea=f2=ee=e2 - =d2=c7 =e4=eb=ff =f1=ee=e7=e4=e0=ed= =e8=ff =c1=c4; =f6=e5=eb=e8 =ea=ee=ed=f2=e0=ea=f2=ee=e2; =f3=f7=e5=f2, =e0= =ed=e0=eb=e8=e7, =fd=f4=f4=e5=ea=f2=e8=e2=ed=ee=f1=f2=fc =ea=ee=ed=f2=e0=ea= =f2=ee=e2; =f1=f2=f0=e0=f2=e5=e3=e8=e8 =ea=ee=ec=ec=f3=ed=e8=ea=e0=f6=e8=e9= )=2e =cf=d0=df=cc=db=c5 =cf=d0=ce=c4=c0=c6=c8: =ce=d0=c3=c0=cd=c8=c7=c0=d6=c8=df= =c8 =ca=ce=cd=d2=d0=ce=cb=dc 1=2e =d0=e0=e1=ee=f2=e0 =ea=ee=ed=f2=e0=ea=f2=ed=fb=f5 =ec=e5=ed=e5=e4=e6= =e5=f0=ee=e2=2e 2=2e =cf=eb=e0=ed=e8=f0=ee=e2=e0=ed=e8=e5, =ee=f0=e3=e0=ed=e8=e7=e0=f6=e8= =ff =e8 =ea=ee=ed=f2=f0=ee=eb=fc =ef=f0=ee=e4=e0=e6=2e 3=2e =ce=f0=e3=e0=ed=e8=e7=e0=f6=e8=ff =ea=ee=ec=e0=ed=e4=ed=ee=e3=ee =e8= =f1=ef=ee=eb=fc=e7=ee=e2=e0=ed=e8=ff =c1=c4 =e2 =e4=e5=ff=f2=e5=eb=fc=ed=ee= =f1=f2=e8 =ec=e5=ed=e5=e4=e6=e5=f0=ee=e2 =ef=ee =ef=f0=ee=e4=e0=e6=e0=ec=2e= 4=2e =ce=f6=e5=ed=ea=e0 =f1=f2=ee=e8=ec=ee=f1=f2=e8 =ea=ee=ec=ec=f3=ed=e8= =ea=e0=f6=e8=e9=2e 5=2e =c8=ed=f1=f2=f0=f3=ec=e5=ed=f2=e0=f0=e8=e8 =ee=f0=e3=e0=ed=e8=e7=e0=f6= =e8=e8 =e8 =ea=ee=ed=f2=f0=ee=eb=ff =ec=e5=ed=e5=e4=e6=e5=f0=ee=e2=2e =cf=d0=c0=ca=d2=c8=ca=c0 =ca=ce=cd=d2=c0=ca=d2=ce=c2: =eb=e8=f7=ed=e0=ff = =ef=f0=e5=e7=e5=ed=f2=e0=f6=e8=ff, =f2=e5=eb=e5=f4=ee=ed=ed=fb=e9 =e8 =fd= =ef=e8=f1=f2=ee=eb=ff=f0=ed=fb=e9 =ea=ee=ed=f2=e0=ea=f2=2e =ce=ef=f2=e8=ec= =e0=eb=fc=ed=fb=e5 =f1=f6=e5=ed=e0=f0=e8=e8 =ea=ee=ed=f2=e0=ea=f2=ee=e2=2e= =cf=d0=ce=c3=d0=c0=cc=cc=db =d3=c2=c5=cb=c8=d7=c5=cd=c8=df =cb=ce=df=cb=dc= =cd=ce=d1=d2=c8 =cf=ce=d2=d0=c5=c1=c8=d2=c5=cb=c5=c9 =c8 CRM 1=2e =cc=ee=e4=e5=eb=e8 =f1=e5=f0=e2=e8=f1=ed=ee=e3=ee =f6=e8=ea=eb=e0, =e4= =ee=e2=ee=eb=fc=ed=fb=e5 =e8 =ed=e5=e4=ee=e2=ee=eb=fc=ed=fb=e5 =ea=eb=e8=e5= =ed=f2=fb=2e 2=2e =dd=ea=ee=ed=ee=ec=e8=f7=e5=f1=ea=e0=ff =fd=f4=f4=e5=ea=f2=e8=e2=ed=ee= =f1=f2=fc =f3=e2=e5=eb=e8=f7=e5=ed=e8=ff =eb=ee=ff=eb=fc=ed=ee=f1=f2=e8=2e= 3=2e =cc=e5=f2=ee=e4=e8=ea=e0 CRM, =ef=ee=f1=f2=f0=ee=e5=ed=e8=e5 =f3=f1=f2= =ee=e9=f7=e8=e2=fb=f5 =ee=f2=ed=ee=f8=e5=ed=e8=e9 =f1 =ea=eb=e8=e5=ed=f2=e0= =ec=e8=2e =dd=d2=c0=cf=db =c8=d1=cf=ce=cb=dc=c7=ce=c2=c0=cd=c8=df =d2=c5=d5=cd=ce=cb= =ce=c3=c8=c8 CRM 1=2e =ce=f1=ee=e1=e5=ed=ed=ee=f1=f2=e8 CRM-=ef=f0=ee=e3=f0=e0=ec=ec=2e 2=2e =ce=f1=ee=e1=e5=ed=ed=ee=f1=f2=e8 =e8=f1=ef=ee=eb=fc=e7=ee=e2=e0=ed=e8= =ff =e4=e8=f1=ea=ee=ed=f2=ed=fb=f5 =ef=f0=ee=e3=f0=e0=ec=ec=2e 3=2e =d0=e0=e7=eb=e8=f7=e8=ff =e4=e8=f1=ea=ee=ed=f2=ed=fb=f5 =ef=f0=ee=e3= =f0=e0=ec=ec =e8 =f2=e5=f5=ed=ee=eb=ee=e3=e8=e9 CRM=2e =cf=d0=c8=cc=c5=d0=db =d0=c5=c0=cb=dc=cd=ce=c9 =ce=d0=c3=c0=cd=c8=c7=c0=d6= =c8=c8 =cf=d0=ce=c3=d0=c0=cc=cc CRM=2e =d2=c5=d5=cd=c8=ca=c0 =cf=ce=d1=d2= =d0=ce=c5=cd=c8=df =ce=d2=cd=ce=d8=c5=cd=c8=c9 =d1 =ca=cb=c8=c5=cd=d2=c0=cc= =c8 1=2e =ca=ee=f0=ef=ee=f0=e0=f2=e8=e2=ed=e0=ff =ea=f3=eb=fc=f2=f3=f0=e0 (=ee= =f1=ed=ee=e2=fb =e0=ed=e0=eb=e8=e7=e0)=2e 2=2e =d3=f1=f2=e0=ed=ee=e2=eb=e5=ed=e8=e5 =ea=ee=ed=f2=e0=ea=f2=ee=e2 (=ea= =ee=ed=f2=e0=ea=f2=ed=fb=e5 =ef=ee=e2=ee=e4=fb)=2e 3=2e =d1=ef=ee=f1=ee=e1=fb =ef=ee=f1=f2=f0=ee=e5=ed=e8=ff =ee=f2=ed=ee=f8= =e5=ed=e8=e9=2e =ce=f0=e3=e0=ed=e8=e7=e0=f6=e8=ff =e8 =f3=ef=f0=e0=e2=eb=e5= =ed=e8=e5 =ef=ee=f1=f2=f0=ee=e5=ed=e8=e5=ec =ee=f2=ed=ee=f8=e5=ed=e8=e9=2e= =c2 =f0=e5=e7=f3=eb=fc=f2=e0=f2=e5 =f1=e5=ec=e8=ed=e0=f0=e0 =f3=f7=e0=f1=f2= =ed=e8=ea=e8: 1=2e =cf=ee=eb=f3=f7=e0=f2 =e8=ed=f1=f2=f0=f3=ec=e5=ed=f2=fb =f0=e0=e1=ee= =f2=fb =f1 =ea=eb=e8=e5=ed=f2=f1=ea=ee=e9 =e1=e0=e7=ee=e9; 2=2e =cf=ee=eb=f3=f7=e0=f2 =ef=f0=e5=e4=f1=f2=e0=e2=eb=e5=ed=e8=e5 =ee =ef= =f0=e0=e2=e8=eb=fc=ed=ee=e9 =f0=e0=e1=ee=f2=e5 =f1 =ea=eb=e8=e5=ed=f2=e0=ec= =e8 =e8 =f1=ef=ee=f1=ee=e1=e0=f5 =ef=ee=e2=fb=f8=e5=ed=e8=ff =eb=ee=ff=eb= =fc=ed=ee=f1=f2=e8 =ea=eb=e8=e5=ed=f2=ee=e2 =ea=ee=ec=ef=e0=ed=e8=e8; 3=2e =d3=e7=ed=e0=fe=f2 =ee =e3=eb=e0=e2=ed=fb=f5 =ef=f0=e8=ed=f6=e8=ef=e0= =f5 =ef=ee=f1=f2=f0=ee=e5=ed=e8=ff =fd=f4=f4=e5=ea=f2=e8=e2=ed=ee=e9 =c1=e0= =e7=fb =c4=e0=ed=ed=fb=f5 =e8 =f1=ec=ee=e3=f3=f2 =f0=e5=e0=eb=e8=e7=ee=e2= =e0=f2=fc =fd=f2=e8 =e7=ed=e0=ed=e8=ff =ed=e0 =f1=e2=ee=e8=f5 =f0=e0=e1=ee= =f7=e8=f5 =ec=e5=f1=f2=e0=f5=2e =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d =c0=e2=f2=ee=f0 =f1=e5=ec=e8=ed=e0=f0=e0: =d1=e0=ec=ee=f5=e8=ed =cc=2e=de= =2e - =ef=f0=ee=f4=e5=f1=f1=e8=ee=ed=e0=eb=fc=ed=fb=e9 =e1=e8=e7=ed=e5=f1= -=f2=f0=e5=ed=e5=f0, =ea=ee=ed=f1=f3=eb=fc=f2=e0=ed=f2, =ec=e0=f0=ea=e5=f2= =ee=eb=ee=e3, =e0=e2=f2=ee=f0 =f0=e0=e7=f0=e0=e1=ee=f2=ee=ea =e2 =ee=e1=eb= =e0=f1=f2=e8 =e0=ea=f2=e8=e2=ed=fb=f5 =ec=e5=f2=ee=e4=ee=e2 =ee=e1=f3=f7=e5= =ed=e8=ff, =ef=f0=e5=ef=ee=e4=e0=e2=e0=f2=e5=eb=fc =c0=cd=d5, =d1=e8=ed=e5= =f0=e3=e8=ff (=cc=c2=c0), =cc=c8=d0=c1=c8=d1 (=cc=c2=c0), =c2=ca=d8, =cd=ee= =f0=e2=e5=e6=f1=ea=ee-=d0=ee=f1=f1=e8=e9=f1=ea=ee=e3=ee =ee=e1=f0=e0=e7=ee= =e2=e0=f2=e5=eb=fc=ed=ee=e3=ee =ef=f0=ee=e5=ea=f2=e0 Skedsmo=2e =d0=f3=ea= =ee=e2=ee=e4=e8=f2=e5=eb=fc =e0=ed=e0=eb=e8=f2=e8=f7=e5=f1=ea=ee=e9 =e3=f0= =f3=ef=ef=fb (=ec=e0=f0=ea=e5=f2=e8=ed=e3=ee=e2=fb=e5 =e8=f1=f1=eb=e5=e4=ee= =e2=e0=ed=e8=ff), =e0=e2=f2=ee=f0 =ef=f3=e1=eb=e8=ea=e0=f6=e8=e9 =e2 =ee=e1= =eb=e0=f1=f2=e8 =f3=ef=f0=e0=e2=eb=e5=ed=e8=ff =ef=f0=ee=e5=ea=f2=e0=ec=e8= , =e1=f0=e5=ed=e4=e8=ed=e3=e0 =e8 CRM=2e =cd=e5=ea=ee=f2=ee=f0=fb=e5 =ea=ee= =f0=ef=ee=f0=e0=f2=e8=e2=ed=fb=e5 =ea=eb=e8=e5=ed=f2=fb: =d2=e8=ed=fc=ea=ee= =f4=f4, =cc=e8=eb=e0=e3=f0=ee, Le Cafe, =c5=e2=f0=ee=ee=e9=eb, =c4=e8=e0=f1= =ee=f4=f2, =c0=f0=ec=ee-=e3=f0=f3=ef, Asstra (=c1=e5=eb=e0=f0=f3=f1=fc), = =c1=e5=eb=fd=eb=e5=ea=f2=f0=ee=ed=ea=ee=ec=ef=eb=e5=ea=f2 (=c1=e5=eb=e0=f0= =f3=f1=fc), =d1=e0=f5=e0=eb=e8=ed =dd=ed=e5=f0=e4=e6=e8 (=ea=ee=ed=f1=ee=f0= =f6=e8=f3=ec Shell, Mitsui, Mitsubisi), =cc=e8=f0=f0=e0 =cb=fe=ea=f1, =c3= =e0=f0=e0=ed=f2, =d1=e5=f2=fc =f1=e0=eb=ee=ed=ee=e2 =d4=e0=e1=f0=e8=ea=e0= =c3=f0=e5=e7", =ca=e0=ec=ef=ee=ec=ee=f1, =d7=e5=f0=ea=e8=e7=ee=e2=ee, =cc= =ee=f1=ea=ee=e2=f1=ea=e8=e9 =d8=e8=ed=ed=fb=e9 =c7=e0=e2=ee=e4, =cc=e0=ea= =f1=e8=f2 (=c2=e5=f2=ee=ed=e8=f2), =c4=ff=f2=fc=ea=ee=e2=ee-=ec=e5=e1=e5=eb= =fc, =e8=e7=e4=e0=f2=e5=eb=fc=f1=f2=e2=ee MacMillan (=f0=ee=f1=f1=e8=e9=f1= =ea=e8=e9 =ee=f4=e8=f1), =cc=c8=dd=cb=dc-=ed=e5=e4=e2=e8=e6=e8=ec=ee=f1=f2= =fc, =d2=ee=f0=e3=ee=e2=fb=e9 =e4=ee=ec =cb=e0=e2=e5=f0=ed=e0, =d1=e8=e1=f3= =f0 =e8 =e4=f0=f3=e3=e8=e5 =ea=ee=ec=ef=e0=ed=e8=e8=2e =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d =d1=f2=ee=e8=ec=ee=f1=f2=fc =f3=f7=e0=f1=f2=e8=ff: 8260 =f0=f3=e1=2e (=f1= =f3=f7=e5=f2=ee=ec =cd=c4=d1) =c2 =f1=f2=ee=e8=ec=ee=f1=f2=fc =e2=ea=eb=fe=f7=e5=ed=fb =e0=e2=f2=ee=f0=f1= =ea=e8=e5 =f0=e0=e7=e4=e0=f2=ee=f7=ed=fb=e5 =ec=e0=f2=e5=f0=e8=e0=eb=fb, = =ea=ee=f4=e5-=e1=f0=e5=e9=ea=e8, =ee=e1=e5=e4=2e =d1=ea=e8=e4=ea=e8: =e1=ee=eb=e5=e5 =ee=e4=ed=ee=e3=ee =f3=f7=e0=f1=f2=ed= =e8=ea=e0 =ee=f2 =ea=ee=ec=ef=e0=ed=e8=e8 - =f1=ea=e8=e4=ea=e0 10%, =ef=ee= =f1=f2=ee=ff=ed=ed=fb=ec =ea=eb=e8=e5=ed=f2=e0=ec - 20%=2e =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d= =3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d=3d =d1=cf=d0=c0=c2=ca=c8=a0 =c8=a0 =d0=c5=c3=c8=d1=d2=d0=c0=d6=c8=df =ef=ee = =f2=e5=eb=2e: [495] 980-67-00 nrwiw From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 05:28:30 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27F5116A41F for ; Thu, 16 Mar 2006 05:28:30 +0000 (UTC) (envelope-from amna@rikskonserter.se) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id E71FC43D45 for ; Thu, 16 Mar 2006 05:28:27 +0000 (GMT) (envelope-from amna@rikskonserter.se) Received: from rikskonserter.se (unknown [60.22.53.191]) by cyrus.watson.org (Postfix) with SMTP id 71B2A46B6C for ; Thu, 16 Mar 2006 00:27:59 -0500 (EST) Message-ID: <000001c648ba$61484140$7684a8c0@rth6> From: "Amna Mooring" To: trustedbsd-discuss@trustedbsd.org Date: Thu, 16 Mar 2006 00:27:55 -0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: PhpCaramacy news X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Amna Mooring List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 05:28:30 -0000 =20 l C u i m a o I e i a s $9 f 9 (1 vB 0 z p b i s l h l v s l ) n V p a r I p i f u m m $1 e 05 (3 p2 0 y p f i y l c l c s x ) g V o i z a q g i r v a $6 e 9 (10 k7 b p p i n l n l r s y ) =20 Many o 1y ther, Vis V8 it our si Pu te and Sa F9 ve ove In r 50 0x % From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 08:00:07 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 626E016A401 for ; Thu, 16 Mar 2006 08:00:07 +0000 (UTC) (envelope-from odell_ld@pacbell.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F09C943D45 for ; Thu, 16 Mar 2006 08:00:06 +0000 (GMT) (envelope-from odell_ld@pacbell.net) Received: from charter.net (unknown [60.15.145.164]) by cyrus.watson.org (Postfix) with ESMTP id 7BBD346C19 for ; Thu, 16 Mar 2006 02:59:36 -0500 (EST) Message-ID: From: "Derek Odell" To: trustedbsd-discuss@trustedbsd.org Date: Thu, 16 Mar 2006 20:57:01 +0000 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: base64 Cc: Subject: The Bullseye Report X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 08:00:07 -0000 WkFMRElWQSBJTkMNClN5bWJvbDogWkxEVg0KUHJpY2U6ICQuOTANClNoYXJl cyBPdXRzdGFuZGluZyAyLzkvMDY6IDYsNTIwLDAwMCBzaGFyZXMgKFNvdXJj ZSAxMFEgRmlsZWQgMi8xMy8wNikNCl9fX19fX19fX19fX19fX19fX19fDQoN CkFyZSBUaGluZ3MgU3RhcnRpbmcgdG8gSGVhdCBVcCBPbiBUaGlzIFN0b2Nr PyBJcyBpdCBHZXR0aW5nIFJlYWR5IHRvICJQT1AiPyBBcmUgWW91IGEgU2tp bGxlZA0KUGVubnkgU3RvY2sgRGF5IFRyYWRlcj8gQ2FuIFlvdSBtYWtlIFNv bWUgRWFzeSBNb25leSBvbiBaTERWPw0KDQpSQURBUiBJVCBGT1IgV0VETkVT REFZJ1MgVFJBRElORyBOT1chISENCg0KVGhlIE5ld3M6IFBMRUFTRSwgR08g UkVBRCBBTEwgVEhFIE5FV1MgT04gVEhJUyBTVE9DSyBOT1chDQoNCkNoYXJh Y3RlciBhbmQgTmFtZS1CcmFuZC1UaGVtZWQgQmFubmVycyB0byBCb29zdCBa YWxkaXZhIEluYy4gQWZmaWxpYXRlIFByb2dyYW0NCg0KRk9SVCBMQVVERVJE QUxFLCBGbGEuLCBNYXJjaCAxMCAvUFJOZXdzd2lyZS1GaXJzdENhbGwvIC0t IFphbGRpdmEgKFRNKSwgSW5jLiAoT1RDIEJ1bGxldGluIA0KQm9hcmQ6IFpM RFYgLSBOZXdzKSwgKFhldHJhIEV4Y2hhbmdlOiBVWjgpIHRvZGF5IGFubm91 bmNlZCB0aGF0IGl0IGhhcyBlbmhhbmNlZCBpdHMgDQpBZmZpbGlhdGUgUHJv Z3JhbSB0byBpbmNsdWRlIGNoYXJhY3RlciBhbmQgbmFtZS1icmFuZC10aGVt ZWQgYmFubmVycy4NCg0KWmFsZGl2YSB3aWxsIGNvbnRpbnVlIHRvIHVwbG9h ZCBuZXcgYmFubmVycyB0byB0aGUgcHJvZ3JhbSBvbiBhIHJlZ3VsYXIgYmFz aXMgdG8gZW5zdXJlIHRoYXQNCmFmZmlsaWF0ZXMgd2lsbCBoYXZlIGEgcGxl bnR5IG9mIHdheXMgdG8gYXR0cmFjdCBuZXcgY3VzdG9tZXJzLiBUaGUgY2hh cmFjdGVyIGFuZCBuYW1lIGJyYW5kDQp0aGVtZXMsIGxpa2UgRmFtaWx5IEd1 eSwgQnVmZnkgVGhlIFZhbXBpcmUgU2xheWVyLCBDb2NhLUNvbGEgYW5kIFN1 cGVybWFuLCB3aWxsIGJlIGJhc2VkIA0KdXBvbiB0aGUgY29tcGFueSdzIGN1 cnJlbnQgaW52ZW50b3J5IGFuZCBob3QgbmV3IHBvcC1jdWx0dXJlIGNvbGxl Y3RpYmxlIGl0ZW1zIGFzIHRoZXkgYXJlIA0KcmVsZWFzZWQuDQpfX19fX19f X19fX19fXw0KDQpXYXRjaCBIb3cgSXQgT3BlbnMgRm9yIFRvbW9ycm93J3Mg VHJhZGluZyEhDQpfX19fX19fX19fX19fXw0KDQpJbmZvcm1hdGlvbiB3aXRo aW4gdGhpcyByZXBvcnQgY29udGFpbnMgZm9yd2FyZCBsb29raW5nIHN0YXRl bWVudHMgd2l0aGluIHRoZSBtZWFuaW5nIG9mIA0KU2VjdGlvbiAyN0Egb2Yg dGhlIFNlY3VyaXRpZXMgQWN0IG9mIDE5MzMgYW5kIFNlY3Rpb24gMjFCIG9m IHRoZSBTRUMgQWN0IG9mIDE5MzQuIEFueSANCnN0YXRlbWVudHMgdGhhdCBl eHByZXNzIG9yIGludm9sdmUgZGlzY3Vzc2lvbnMgd2l0aCByZXNwZWN0IHRv IHByZWRpY3Rpb25zIG9yIHByb2plY3Rpb25zIA0Kb2YgZnV0dXJlIGV2ZW50 cyBvciBwZXJmb3JtYW5jZSBhcmUgbm90IHN0YXRlbWVudHMgb2YgaGlzdG9y aWNhbCBmYWN0IGFuZCBtYXkgYmUgZm9yd2FyZCANCjFvb2tpbmcgc3RhdGVt ZW50cy4gRG9uJ3QgcmVseSAgb24gdGhlbSB0byBtYWtlIGEgZGVjaXNpb24u VG9kYXkncyBjb21wYW55IGhhcyBkaXNjbG9zYWJsZSANCm1hdGVyaWFsIGl0 ZW1zIHlvdSBuZWVkIHRvIGtub3cgdG8gbWFrZSBhbiBpbmZvcm1lZCBhbmQg aW50ZWxsaWdlbnQgZGVjaXNpb24uIFRoZXNlIGl0ZW1zIA0KaW5jbHVkZTog YW4gYWNjdW11bGF0ZWQgZGVmaWNpdCBzaW5jZSBpdHMgaW5jZXB0aW9uLCBu b21pbmFsIHJldmVudWVzIGluIGl0cyBtb3N0IHJlY2VudCANCnF1YXJ0ZXIg YW5kIHNvbWUgcmVsYXRlZCBwYXJ0eSB0cmFuc2FjdGlvbnMuVGhlIGNvbXBh bnkgbWF5IG5lZWQgdG8gcmVseSBvbiBmaW5hbmNpbmcgdG8gDQpzdXJ2aXZl LiBSZWFkIHRoZSBDb21wYW55J3MgU0VDIGZpbGluZ3MgYmVmb3JlIHlvdSBp bnZlc3QuIFRoaXMgcmVwb3J0IHNoYWxsIG5vdCBiZSBjb25zdHJ1ZWQgDQph cyBhbnkga2luZCBvZiBpbnZlc3RtZW50IGFkdmljZSBvciBzb2xpY2l0YXRp b24uIFlvdSBjYW4gbG9zZSBhbGwgeW91ciBtb25leSBieSBpbnZlc3Rpbmcg DQppbiB0aGlzIHN0b2NrLiBXZSBoYXZlIHJlY2VpdmVkIG9uZSBodW5kcmVk IHRoaXJ0eSBmaXZlIHRob3VzYW5kIGZyZWUgIHRyYWRpbmcgc2hhcmVzIGZy b20gYSANCnRoaXJkIHBhcnR5IG5vdCBhbiBvZmZpY2VyLCBkaXJlY3RvciBv ciBhZmZpbGlhdGUgc2hhcmVob2xkZXIgZm9yIG91ciBzZXJ2aWNlcy4gV2Ug aW50ZW5kIHRvIA0Kc2VsbCBhbGwgdGhlc2Ugc2hhcmVzIG5vdywgd2hpY2gg Y291bGQgY2F1c2UgdGhlIHN0b2NrIHRvIGdvIGRvd24sIHJlc3VsdGluZyBp biBsb3NzZXMgZm9yIHlvdS4NCkRvIHlvdXIgZHVlIGRpbGlnZW5jZSBiZWZv cmUgeW91IGludmVzdC4g From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 08:24:44 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AE7E16A400 for ; Thu, 16 Mar 2006 08:24:44 +0000 (UTC) (envelope-from jrojaswi@cel.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1475B43D7E for ; Thu, 16 Mar 2006 08:24:44 +0000 (GMT) (envelope-from jrojaswi@cel.com) Received: from lycos.com (mtl93-1-82-67-180-247.fbx.proxad.net [82.67.180.247]) by cyrus.watson.org (Postfix) with ESMTP id 6752046B04 for ; Thu, 16 Mar 2006 03:24:18 -0500 (EST) Message-ID: From: "Julio Rojas" To: trustedbsd-discuss@trustedbsd.org Date: Thu, 16 Mar 2006 21:21:49 +0000 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: base64 Cc: Subject: Undiscovered and Uncovered Smallcap X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 08:24:44 -0000 WkFMRElWQSBJTkMNClN5bWJvbDogWkxEVg0KUHJpY2U6ICQuOTANClNoYXJl cyBPdXRzdGFuZGluZyAyLzkvMDY6IDYsNTIwLDAwMCBzaGFyZXMgKFNvdXJj ZSAxMFEgRmlsZWQgMi8xMy8wNikNCl9fX19fX19fX19fX19fX19fX19fDQoN CkFyZSBUaGluZ3MgU3RhcnRpbmcgdG8gSGVhdCBVcCBPbiBUaGlzIFN0b2Nr PyBJcyBpdCBHZXR0aW5nIFJlYWR5IHRvICJQT1AiPyBBcmUgWW91IGEgU2tp bGxlZA0KUGVubnkgU3RvY2sgRGF5IFRyYWRlcj8gQ2FuIFlvdSBtYWtlIFNv bWUgRWFzeSBNb25leSBvbiBaTERWPw0KDQpSQURBUiBJVCBGT1IgV0VETkVT REFZJ1MgVFJBRElORyBOT1chISENCg0KVGhlIE5ld3M6IFBMRUFTRSwgR08g UkVBRCBBTEwgVEhFIE5FV1MgT04gVEhJUyBTVE9DSyBOT1chDQoNCkNoYXJh Y3RlciBhbmQgTmFtZS1CcmFuZC1UaGVtZWQgQmFubmVycyB0byBCb29zdCBa YWxkaXZhIEluYy4gQWZmaWxpYXRlIFByb2dyYW0NCg0KRk9SVCBMQVVERVJE QUxFLCBGbGEuLCBNYXJjaCAxMCAvUFJOZXdzd2lyZS1GaXJzdENhbGwvIC0t IFphbGRpdmEgKFRNKSwgSW5jLiAoT1RDIEJ1bGxldGluIA0KQm9hcmQ6IFpM RFYgLSBOZXdzKSwgKFhldHJhIEV4Y2hhbmdlOiBVWjgpIHRvZGF5IGFubm91 bmNlZCB0aGF0IGl0IGhhcyBlbmhhbmNlZCBpdHMgDQpBZmZpbGlhdGUgUHJv Z3JhbSB0byBpbmNsdWRlIGNoYXJhY3RlciBhbmQgbmFtZS1icmFuZC10aGVt ZWQgYmFubmVycy4NCg0KWmFsZGl2YSB3aWxsIGNvbnRpbnVlIHRvIHVwbG9h ZCBuZXcgYmFubmVycyB0byB0aGUgcHJvZ3JhbSBvbiBhIHJlZ3VsYXIgYmFz aXMgdG8gZW5zdXJlIHRoYXQNCmFmZmlsaWF0ZXMgd2lsbCBoYXZlIGEgcGxl bnR5IG9mIHdheXMgdG8gYXR0cmFjdCBuZXcgY3VzdG9tZXJzLiBUaGUgY2hh cmFjdGVyIGFuZCBuYW1lIGJyYW5kDQp0aGVtZXMsIGxpa2UgRmFtaWx5IEd1 eSwgQnVmZnkgVGhlIFZhbXBpcmUgU2xheWVyLCBDb2NhLUNvbGEgYW5kIFN1 cGVybWFuLCB3aWxsIGJlIGJhc2VkIA0KdXBvbiB0aGUgY29tcGFueSdzIGN1 cnJlbnQgaW52ZW50b3J5IGFuZCBob3QgbmV3IHBvcC1jdWx0dXJlIGNvbGxl Y3RpYmxlIGl0ZW1zIGFzIHRoZXkgYXJlIA0KcmVsZWFzZWQuDQpfX19fX19f X19fX19fXw0KDQpXYXRjaCBIb3cgSXQgT3BlbnMgRm9yIFRvbW9ycm93J3Mg VHJhZGluZyEhDQpfX19fX19fX19fX19fXw0KDQpJbmZvcm1hdGlvbiB3aXRo aW4gdGhpcyByZXBvcnQgY29udGFpbnMgZm9yd2FyZCBsb29raW5nIHN0YXRl bWVudHMgd2l0aGluIHRoZSBtZWFuaW5nIG9mIA0KU2VjdGlvbiAyN0Egb2Yg dGhlIFNlY3VyaXRpZXMgQWN0IG9mIDE5MzMgYW5kIFNlY3Rpb24gMjFCIG9m IHRoZSBTRUMgQWN0IG9mIDE5MzQuIEFueSANCnN0YXRlbWVudHMgdGhhdCBl eHByZXNzIG9yIGludm9sdmUgZGlzY3Vzc2lvbnMgd2l0aCByZXNwZWN0IHRv IHByZWRpY3Rpb25zIG9yIHByb2plY3Rpb25zIA0Kb2YgZnV0dXJlIGV2ZW50 cyBvciBwZXJmb3JtYW5jZSBhcmUgbm90IHN0YXRlbWVudHMgb2YgaGlzdG9y aWNhbCBmYWN0IGFuZCBtYXkgYmUgZm9yd2FyZCANCjFvb2tpbmcgc3RhdGVt ZW50cy4gRG9uJ3QgcmVseSAgb24gdGhlbSB0byBtYWtlIGEgZGVjaXNpb24u VG9kYXkncyBjb21wYW55IGhhcyBkaXNjbG9zYWJsZSANCm1hdGVyaWFsIGl0 ZW1zIHlvdSBuZWVkIHRvIGtub3cgdG8gbWFrZSBhbiBpbmZvcm1lZCBhbmQg aW50ZWxsaWdlbnQgZGVjaXNpb24uIFRoZXNlIGl0ZW1zIA0KaW5jbHVkZTog YW4gYWNjdW11bGF0ZWQgZGVmaWNpdCBzaW5jZSBpdHMgaW5jZXB0aW9uLCBu b21pbmFsIHJldmVudWVzIGluIGl0cyBtb3N0IHJlY2VudCANCnF1YXJ0ZXIg YW5kIHNvbWUgcmVsYXRlZCBwYXJ0eSB0cmFuc2FjdGlvbnMuVGhlIGNvbXBh bnkgbWF5IG5lZWQgdG8gcmVseSBvbiBmaW5hbmNpbmcgdG8gDQpzdXJ2aXZl LiBSZWFkIHRoZSBDb21wYW55J3MgU0VDIGZpbGluZ3MgYmVmb3JlIHlvdSBp bnZlc3QuIFRoaXMgcmVwb3J0IHNoYWxsIG5vdCBiZSBjb25zdHJ1ZWQgDQph cyBhbnkga2luZCBvZiBpbnZlc3RtZW50IGFkdmljZSBvciBzb2xpY2l0YXRp b24uIFlvdSBjYW4gbG9zZSBhbGwgeW91ciBtb25leSBieSBpbnZlc3Rpbmcg DQppbiB0aGlzIHN0b2NrLiBXZSBoYXZlIHJlY2VpdmVkIG9uZSBodW5kcmVk IHRoaXJ0eSBmaXZlIHRob3VzYW5kIGZyZWUgIHRyYWRpbmcgc2hhcmVzIGZy b20gYSANCnRoaXJkIHBhcnR5IG5vdCBhbiBvZmZpY2VyLCBkaXJlY3RvciBv ciBhZmZpbGlhdGUgc2hhcmVob2xkZXIgZm9yIG91ciBzZXJ2aWNlcy4gV2Ug aW50ZW5kIHRvIA0Kc2VsbCBhbGwgdGhlc2Ugc2hhcmVzIG5vdywgd2hpY2gg Y291bGQgY2F1c2UgdGhlIHN0b2NrIHRvIGdvIGRvd24sIHJlc3VsdGluZyBp biBsb3NzZXMgZm9yIHlvdS4NCkRvIHlvdXIgZHVlIGRpbGlnZW5jZSBiZWZv cmUgeW91IGludmVzdC4g From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 09:19:39 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F2B616A422 for ; Thu, 16 Mar 2006 09:19:39 +0000 (UTC) (envelope-from herman.bollers@deltamarketplace.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E18843D46 for ; Thu, 16 Mar 2006 09:19:37 +0000 (GMT) (envelope-from herman.bollers@deltamarketplace.com) Received: from localhost (unknown [58.77.192.12]) by cyrus.watson.org (Postfix) with SMTP id 1D28246BCA for ; Thu, 16 Mar 2006 04:19:09 -0500 (EST) Received: from [205.248.102.79] (port=25 helo=mailc.microsoft.com) by mailc.microsoft.com with smtp for trustedbsd-discuss@trustedbsd.org; Thu, 23 Mar 2006 18:21:22 +0900 Received: from [32.97.182.141] (port=25 helo=e1.ny.us.ibm.com) by e1.ny.us.ibm.com with smtp for trustedbsd-discuss@trustedbsd.org; Thu, 23 Mar 2006 18:21:22 +0900 Message-ID: <000001c64905$49e44a80$0100007f@localhost> From: "Leonardo Murphy" To: Date: Thu, 23 Mar 2006 18:21:22 +0900 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Don't get left behind! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 09:19:39 -0000 Finally the real thing- no more ripoffs! Enhancment Patches are hot right now, VERY hot! Unfortunately, most are cheap imitiations and do very little to increase your size and stamina. Well this is the real thing, not an imitation! One of the very originals, the absolutely strongest Patch available, anywhere! A top team of British scientists and medical doctors have worked to develop the state-of-the-art Pen1s Enlargment Patch delivery system which automatically increases pen1s size up to 3-4 full inches. The patches are the easiest and most effective way to increase your size. You won't have to take pills, get under the knife to perform expensive and very painful surgery, use any pumps or other devices. No one will ever find out that you are using our product. Just apply one patch on your body and wear it for 3 days and you will start noticing dramatic results. Millions of men are taking advantage of this revolutionary new product - Don't be left behind! As an added incentive, they are offering huge discount specials right now, check out the site to see for yourself! Here's the link to check out! http://www.curbaz.biz/pt/?46&ietnw From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 11:13:16 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9994F16A423 for ; Thu, 16 Mar 2006 11:13:16 +0000 (UTC) (envelope-from Twaroch@graybrosstmp.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5024E43D60 for ; Thu, 16 Mar 2006 11:13:05 +0000 (GMT) (envelope-from Twaroch@graybrosstmp.com) Received: from 144616080 (unknown [211.197.185.179]) by cyrus.watson.org (Postfix) with SMTP id 0C4B846B49 for ; Thu, 16 Mar 2006 06:12:20 -0500 (EST) Received: from graybrosstmp.com (144342664 [145582672]) by gianttiger.net (Qmailv1) with ESMTP id 3333E71121 for ; Thu, 16 Mar 2006 06:26:20 -0500 Date: Thu, 16 Mar 2006 06:26:20 -0500 From: "Purport O. Kawabata" X-Mailer: The Bat! (v2.00.8) Personal X-Priority: 3 Message-ID: <8242757865.20060316062620@graybrosstmp.com> To: Trustedbsd MIME-Version: 1.0 X-Virus-Scanned: by AMaViS perl-11 mion Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: The Ultimate Online Pharmaceutical X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 11:13:16 -0000 Vlifagra $3.3 Levitera $3.3 Cialris $3.7 Imitreex $16.4 Fplomax $2.2 Ultrwam $0.78 Viofxx $4.75 Ampblem $2.2 VaIihum - $0.97 Xanfax $1.09 Sonma $3 Merisdia $2.2 visit our website http://icanlaves.com/?UHJENDRUBGR0FUVlFHURxWWkdWREFAdEFDR0BAUFVQQFAbXkBU ___ Best regards, Online Pharmaceuticals fjkuwohnf RUBGR0FUVlFHURxWWkdWREFAdEFDR0BAUFVQQFAbXkBU Home is where the heart is. All that glitters is not gold. Every picture tells a story. From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:15:06 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 066E016A420 for ; Thu, 16 Mar 2006 12:15:05 +0000 (UTC) (envelope-from aspirators@infospace.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEC0443D58 for ; Thu, 16 Mar 2006 12:14:55 +0000 (GMT) (envelope-from aspirators@infospace.com) Received: from ti221110a080-13441.bb.online.no (ti221110a080-13441.bb.online.no [83.109.180.129]) by cyrus.watson.org (Postfix) with SMTP id 93CB946BF9 for ; Thu, 16 Mar 2006 07:14:29 -0500 (EST) From: "Aldrich Wilbur" To: "Aldridge Wilburn" Date: Thu, 16 Mar 2006 12:14:53 +0000 Message-ID: <2aca01c648f3$00252e8a$3bb4e677@ti221110a080-13441.bb.online.no> MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0DE1_2567A893.4BCF0DE1" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1441 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re[2]: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:15:06 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0DE1_2567A893.4BCF0DE1 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable determined eyes, her dark silhouette in the doorway and a parcel = wrapped in white paper. '" I'd see you out, but I don't trust myself to come back alone, = I'm afraid." '" Don't be afraid. Just wait a few hours. I'll be back = tomorrow morning." 'Those were the last words that I heard her say. 'Sshh! ' The patient suddenly interrupted himself and raised = Ms finger. ' It's a restless moonlit night.' He disappeared on to the = balcony. Ivan heard the sound of wheels along the corridor, there was a faint = groan or cry. When all was quiet again, the visitor came back and reported = that a patient had been put into room No. 120, a man who kept asking for his = head back. Both men relapsed into anxious silence for a while, but soon = resumed their interrupted talk. The visitor had just opened his mouth but the = night, as he had said, was a restless one : voices were heard in the corridor = and the visitor began to whisper into Ivan's ear so softly that only the = poet could hear what he was saying, with the exception of the first sentence = sl oko fo l omo g ninin popntrlnnnjo snr nknh ng qi n fnmni nj nr orotoonuoos fofm hll sdjksdfsdfsdlgkj sdflkjsdf lksdjfsdfsdf ------=_NextPart_000_0DE1_2567A893.4BCF0DE1-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:33:29 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8578616A400 for ; Thu, 16 Mar 2006 12:33:29 +0000 (UTC) (envelope-from info@business.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15F5E43D66 for ; Thu, 16 Mar 2006 12:33:28 +0000 (GMT) (envelope-from info@business.com) Received: from win2006 (gb.jb.245.174.revip.asianet.co.th [61.91.245.174]) by cyrus.watson.org (Postfix) with SMTP id E7B3646C0C for ; Thu, 16 Mar 2006 07:33:02 -0500 (EST) From: "businessman" To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 16 Mar 2006 19:33:30 Message-Id: <20060316123302.E7B3646C0C@cyrus.watson.org> Cc: Subject: =?iso-8859-1?q?=CB=D2=A1=E0=C5=D7=CD=A1=BB=D4=B4=CB=D9=BB=D4=B4?= =?iso-8859-1?q?=B5=D2_=A4=D8=B3=A1=E7=A8=D0=E4=C1=E8=C1=D5=C7=D1?= =?iso-8859-1?q?=B9=E0=CB=E7=B9=E2=CD=A1=D2=CA_!!_?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:33:29 -0000 šԧ !! ~ 27,000 - 350,000 ҷ / ͹ ҡͶ internet / ɳҵҧ кʹѺʹعôԹáԨ ٻẺ Ǩͺ ١ͧ Դͧ Դ ¹šҧ仡Ѻ www.SMEsthai.net ͡ʨҶ֧ ͧ !! Weird but truth !! ~ 27,000 - 350,000 baht/month by using your mobile phone / internet / advertisement. With our Honest , Rational , Legal business -support system Open your eyes , open your mind , Learn more in the worldwide. www.SMEsThai.net The chance won't come to whom, who wouldn't seek. ҡúǹҹ Pardon me, if this mail interrupt you From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:33:29 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9404816A420 for ; Thu, 16 Mar 2006 12:33:29 +0000 (UTC) (envelope-from info@business.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32CC943D67 for ; Thu, 16 Mar 2006 12:33:29 +0000 (GMT) (envelope-from info@business.com) Received: from win2006 (gb.jb.245.174.revip.asianet.co.th [61.91.245.174]) by cyrus.watson.org (Postfix) with SMTP id 4DD6C46C0E for ; Thu, 16 Mar 2006 07:33:03 -0500 (EST) From: "businessman" To: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 16 Mar 2006 19:33:30 Message-Id: <20060316123303.4DD6C46C0E@cyrus.watson.org> Cc: Subject: =?iso-8859-1?q?=CB=D2=A1=E0=C5=D7=CD=A1=BB=D4=B4=CB=D9=BB=D4=B4?= =?iso-8859-1?q?=B5=D2_=A4=D8=B3=A1=E7=A8=D0=E4=C1=E8=C1=D5=C7=D1?= =?iso-8859-1?q?=B9=E0=CB=E7=B9=E2=CD=A1=D2=CA_!!_?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:33:29 -0000 šԧ !! ~ 27,000 - 350,000 ҷ / ͹ ҡͶ internet / ɳҵҧ кʹѺʹعôԹáԨ ٻẺ Ǩͺ ١ͧ Դͧ Դ ¹šҧ仡Ѻ www.SMEsthai.net ͡ʨҶ֧ ͧ !! Weird but truth !! ~ 27,000 - 350,000 baht/month by using your mobile phone / internet / advertisement. With our Honest , Rational , Legal business -support system Open your eyes , open your mind , Learn more in the worldwide. www.SMEsThai.net The chance won't come to whom, who wouldn't seek. ҡúǹҹ Pardon me, if this mail interrupt you From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:43:10 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A772016A41F for ; Thu, 16 Mar 2006 12:43:10 +0000 (UTC) (envelope-from gilbert@first2office.biz) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2D2C43D48 for ; Thu, 16 Mar 2006 12:43:09 +0000 (GMT) (envelope-from gilbert@first2office.biz) Received: from friend (cpe-70-95-19-121.hawaii.res.rr.com [70.95.19.121]) by cyrus.watson.org (Postfix) with ESMTP id 02C4746BF9 for ; Thu, 16 Mar 2006 07:42:42 -0500 (EST) Message-ID: <000001c648f7$2e724300$0100007f@Family> From: "Robert" To: Date: Thu, 16 Mar 2006 02:43:10 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms020502050004000808040403" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: She wants a better sex? All you need's here! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:43:10 -0000 This is a multi-part message in MIME format. --------------ms020502050004000808040403 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms020502050004000808040403-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:47:37 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 497F616A401 for ; Thu, 16 Mar 2006 12:47:37 +0000 (UTC) (envelope-from admirable@smapxsmap.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1D1443D4C for ; Thu, 16 Mar 2006 12:47:36 +0000 (GMT) (envelope-from admirable@smapxsmap.net) Received: from [85.108.158.28] (unknown [85.108.158.28]) by cyrus.watson.org (Postfix) with SMTP id 7A13146B2A for ; Thu, 16 Mar 2006 07:47:07 -0500 (EST) From: "Hairston Trey" To: "Hale Trinidad" Date: Thu, 16 Mar 2006 12:47:32 +0000 Message-ID: <1a8301c648f7$07c1dd44$3bb4e677@[85.108.158.28]> MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_A893_4BCF0DE1.2567A893" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re[9]: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:47:37 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_A893_4BCF0DE1.2567A893 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable round the pond, from which it was obvious that he seeing this locality for = the first time and that it interested him. His gaze halted on the upper = storeys, whose panes threw back a blinding, fragmented reflection of the sun = which was setting on Mikhail Alexandrovich for ever ; he then looked = downwards to where the windows were turning darker in the early evening twilight, = smiled patronisingly at something, frowned, placed his hands on the knob of = his cane and laid his chin on his hands. 'You see, Ivan,' said Berlioz,' you have written a = marvellously satirical description of the birth of Jesus, the son of God, but the = whole joke lies in the fact that there had already been a whole series of = sons of God before Jesus, such as the Phoenician Adonis, the Phrygian Attis, = the Persian Mithras. Of course not one of these ever existed, including = Jesus, and instead of the nativity or the arrival of the Magi you should = have described the absurd rumours about their arrival. But according to = your story the nativity really took place! ' Here Bezdomny made an effort to stop his torturing hiccups and held = ko g pgsfkfhflg l g fgm f k gikkgsgifngufnf sfr rfuku ful um ugt iti tpupttpkti uuto sdjksdfsdfsdlgkj sdflkjsdf lksdjfsdfsdf ------=_NextPart_000_A893_4BCF0DE1.2567A893-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 12:57:10 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B802716A400 for ; Thu, 16 Mar 2006 12:57:10 +0000 (UTC) (envelope-from ahiynahkuyhi@55mail.cc) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BE6143D72 for ; Thu, 16 Mar 2006 12:57:08 +0000 (GMT) (envelope-from ahiynahkuyhi@55mail.cc) Received: from serebu_woman-server99_soondeai-go-free1919_system08_heart-kiss.tv (pl079.nas936.o-tokyo.nttpc.ne.jp [210.165.29.79]) by cyrus.watson.org (Postfix) with SMTP id D954046B20 for ; Thu, 16 Mar 2006 07:56:42 -0500 (EST) Delivered-To: Received: from unknown (HELO system08_heart-kiss.tv) (725.584.55.215) by 0 with SMTP; 17 Mar 2006 07:23:45 +0900 Message-ID: 20060316210021.83784mail@mail.serebu_woman-server99_soondeai-go-free1919_system08_heart-kiss.tv From: ahiynahkuyhi@55mail.cc To: trustedbsd-discuss@trustedbsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit Date: Thu, 16 Mar 2006 07:56:42 -0500 (EST) Cc: Subject: =?iso-2022-jp?b?GyRCSSwkOjApJCgkXiQ5ISobKEI=?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 12:57:10 -0000 $B"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#(B $B"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,(B $B(-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(B $B"#!!!!@dBP$K0)$($^$9!*@dBP$K#H=PMh$^$9!*@dBP$K$*6b$,Lc$($^$9!*!!(B $B(-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(B $B"#!!!!!!!!!!!!!!$@$C$F!"%3%3$OK\J*$N!D!!!!!!!!!!!!(B $B(-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(B $B"#!!!!!!!!!!!!!!!!%;%l%V$J=w@-C#$N=8$^$j$G$9$+$i!!!!!!!!!!!!!!!!(B $B(-!!!!!!!!!!!!!!!!(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,!!!!!!!!!!!!!!(B $B"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,"#(,(B $B"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#"#(B $B(.(/(B $B(1!z!!$J$<@dBP$K0)$($k$H8@$$@Z$l$k$+!)!!!!!!!!!!!!!!!!"#"#(B $B(1(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B http://perfection.cx/h/ $BEv%5!<%/%k$OCK@-MM$,r7o$,0J2<$NDL$j$J$N$G$9!#(B $B"y(B.$BEPO?$N:]!"EPO?6b3[$r$*?69~$_D:$-!"CK@-MM$X$Nc$H(B $B!!(B $B$7$F$b$*MB$+$j$5$;$FD:$/(B $B"y(B.$BD>@\O"Mm@h$N8r49$O!"CK@-MM$+$i$N%a!<%k$,FO$-e$G$N@dBP>r7o$N0Y(B $B"y(B.$B!cCK@-MM$,5.J}$K$*2q$$D:$1$k!d$H$$$&G'<1$rBg@Z$K!"$44uK>>r7o!JFy(B $B!!(B $B$NBN4X78$N5a0&!&5U1g=u!&Aw7^!KEy$K$O2w$/=>$&(B http://perfection.cx/h/ $B(.(/(B $B(1!z!!5.J}$,;W$C$F$$$k0J>e$K=w@-$O0|Mp$J$s$G$9!D!!!!!!"#"#(B $B(1(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B http://perfection.cx/h/ $BK?M-L>;(;o$K$O$3$s$J5-;v$,7G:\$5$l$F$*$j$^$9!#(B $B!X0lHLE*$K@-M_$H8@$&J*$O!cCK@-$NJ}$,9b$/;}$A9g$o$;$F$$$k!d$H$$$&@b(B $B!!$,KX$I$NJ}$NG'<1$G$"$k$H;W$&$,!"K?M-L>IB1!!{!{0e;U$N8+2r$K$h$k$H(B $B!!!"$I$&$d$i$=$l$O0c$&MM$G$"$k!#!Y(B $B!!$D$^$j!"=w@-$O5.J}$N$=$N@-M_$h$j$b!c99$K6/$/!d#S#E#X$r5a$a$F$$$k(B $B!!$N$G$9!#$3$l$OJ*M}E*$K9M$($k$H!X@dBP$K0)$($k!*!Y$H8@$&Ez$($,!"!c(B $B!!I,A3E*!d$KN"IU$1$i$l$k$N$G$9!#(B http://perfection.cx/h/ $B(.(/(B $B(1!z!!$4B8CN$G$9$,!&!&!&!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"#"#(B $B(1(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B http://perfection.cx/h/ $B$h$/!XK\Ev$G$9$+!)!YEy$N$4e5-$N9`L\$K40A4$KEv$F$O$^$k=w@-$r$4(B $B>R2p$7$F$*$j$^$9!#(B $B?.$8$k!&?.$8$J$$$O5.J}MM$N<+M3$G8f:B$$$^$9!#B~!"(B $B!!!!!!!!!!!!!!!!!!!c>R2p$H$$$&;vR2pNA$J$I0l@Z$+$+$j$^$;$s(B $B$^$?!"Ev%5!<%/%k$OLdBj;k$5$l$F$$$kIT@5@A5a!&<+F02]6b$b0l@Z9T$C$F$*$j$^$;$s!#(B $B$I$J$?MM$b0B?4$7$F$4MxMQ$$$?$@$1$^$9!#(B $B"'(B18$B:PL$K~$N$4MxMQ$O6X;_$5$l$F$$$^$9"'(B $B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B http://perfection.cx/h/ $B(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(,(B From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 13:06:31 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEDFB16A425 for ; Thu, 16 Mar 2006 13:06:31 +0000 (UTC) (envelope-from shabbiness@on.com.tw) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6A6543D91 for ; Thu, 16 Mar 2006 13:06:20 +0000 (GMT) (envelope-from shabbiness@on.com.tw) Received: from host-81-190-250-23.elk.mm.pl (host-81-190-250-23.elk.mm.pl [81.190.250.23]) by cyrus.watson.org (Postfix) with SMTP id 1158E46B46 for ; Thu, 16 Mar 2006 08:05:49 -0500 (EST) From: "Horner Devon" To: "Horton Dewayne" Date: Thu, 16 Mar 2006 13:06:15 +0000 Message-ID: <5afd01c648fa$22b5cdcc$3bb4e677@host-81-190-250-23.elk.mm.pl> MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_A893_4BCF0DE1.2567A893" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re[6]: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 13:06:32 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_A893_4BCF0DE1.2567A893 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable 'How did you get in here? ' Ivan whispered in obedience to a = warning finger. ' The grilles on the windows are locked, aren't they? ' 'The grilles are locked,' agreed the visitor. ' Praskovya = Fyodorovna is a dear person but alas, terribly absent-minded. A month ago I = removed this bunch of keys from her, which has given me the freedom of the = balcony. It stretches along the whole floor, so that I can call on my = neighbours whenever I feel like it.' 'If you can get out on to the balcony you can run away. Or is it = too high to jump? ' enquired Ivan with interest. 'No,' answered the visitor firmly, ' I can't escape from here. = Not because it's too high but because I've nowhere to go.' After a = pause he added : ' So here we are.' 'Here we are,' echoed Ivan, gazing into the man's restless brown = eyes. 'Yes . . .' The visitor grew suddenly anxious. ' You're not = violent, I hope? You see, I can't bear noise, disturbance, violence or anything of = that sort. I particularly hate the sound of people screaming, whether = it's a scream of pain, anger or any other kind of scream. Just reassure = me--you're lghhh khshp htit ini u h s i qjsfkfqgff mgfgkgjh ngsgngtg ugo fqfqghfhg l k sgqf m gg sdjksdfsdfsdlgkj sdflkjsdf lksdjfsdfsdf ------=_NextPart_000_A893_4BCF0DE1.2567A893-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 14:17:00 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B70D16A420 for ; Thu, 16 Mar 2006 14:17:00 +0000 (UTC) (envelope-from william@perlite.biz) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBC9443D72 for ; Thu, 16 Mar 2006 14:16:59 +0000 (GMT) (envelope-from william@perlite.biz) Received: from friend (c-24-2-212-96.hsd1.ct.comcast.net [24.2.212.96]) by cyrus.watson.org (Postfix) with ESMTP id E820246B29 for ; Thu, 16 Mar 2006 09:16:33 -0500 (EST) Message-ID: <000001c64904$47cdbc00$0100007f@DBNT0551> From: "Reginald" To: Date: Thu, 16 Mar 2006 09:16:56 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms060007080400070608040204" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: She wants a better sex? All you need's here! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 14:17:00 -0000 This is a multi-part message in MIME format. --------------ms060007080400070608040204 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms060007080400070608040204-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Mar 16 15:20:38 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D0FD16A43A for ; Thu, 16 Mar 2006 15:20:38 +0000 (UTC) (envelope-from luxuryhomes@thebestresults-mailer.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9976343D7B for ; Thu, 16 Mar 2006 15:20:30 +0000 (GMT) (envelope-from luxuryhomes@thebestresults-mailer.com) Received: from thebestresults-mailer.com (unknown [216.66.66.238]) by cyrus.watson.org (Postfix) with ESMTP id 345E546BDB for ; Thu, 16 Mar 2006 10:20:05 -0500 (EST) From: "Mr. Real Estate" To: trustedbsd-discuss@trustedbsd.org Date: Thu, 16 Mar 2006 09:20:19 -0600 Message-Id: <20060316152005.345E546BDB@cyrus.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Realtors, Luxury Homes Equals Recession-Proof Business X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: luxuryhomes@thebestresults-mailer.com List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Mar 2006 15:20:38 -0000 Hi Realtors, If you want to "recession-proof" your business, start listing and selling luxury homes. Why? Luxury home buyers purchase because they WANT that particular house. Their buying decisions are NOT based on the state of the economy. The promo for 20% off the regular price of "The Art of Listing & Selling Luxury Homes Part 2" is over in 48 hours. Grab your copy today at ... [1]Luxury Homes Part 2 George P. Mr. Real Estate P.S. If you want your business to flourish without depending on interest rates, unemployment figures, etc.,v start building your luxury homes business. P.P.S. Discover the step-by-step process for listing and selling luxury homes. Claim YOUR copy at ... [2]Luxury Homes Part 2 [3][img.gif] [080E060007010617161001165F161B011107010132060007010617161001165C1D001 50E47454645450E464B450E430E420E08.aspx] BHP Inc 8983 Okeechobee Blvd West Palm Beach, FL 33411 References 1. http://thebestresults-mailer.com/080E060007010617161001165F161B011107010132060007010617161001165C1D00150E47454645450E464B450E400E414646414043470E08.aspx 2. http://thebestresults-mailer.com/080E060007010617161001165F161B011107010132060007010617161001165C1D00150E47454645450E464B450E400E414646414043470E08.aspx 3. http://thebestresults-mailer.com/080E060007010617161001165F161B011107010132060007010617161001165C1D00150E47454645450E464B450E08.aspx From owner-trustedbsd-discuss@FreeBSD.ORG Mon Mar 20 15:08:54 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7EC316A422 for ; Mon, 20 Mar 2006 15:08:54 +0000 (UTC) (envelope-from dingo@microbsd.net) Received: from bastille.optimhosts.com (bastille.optimhosts.com [203.177.161.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9255C43D6B for ; Mon, 20 Mar 2006 15:08:51 +0000 (GMT) (envelope-from dingo@microbsd.net) Received: from localhost (bastille.local [127.0.0.1]) by bastille.optimhosts.com (Postfix) with ESMTP id 595778C84D4 for ; Mon, 20 Mar 2006 23:04:33 +0800 (PHT) Received: from bastille.optimhosts.com ([127.0.0.1]) by localhost (bastille.optimhosts.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04960-01 for ; Mon, 20 Mar 2006 23:04:07 +0800 (PHT) Received: by bastille.optimhosts.com (Postfix, from userid 125) id 03A3A8C89D6; Mon, 20 Mar 2006 18:28:13 +0800 (PHT) Received: from [192.168.2.106] (unknown [210.213.197.25]) by bastille.optimhosts.com (Postfix) with ESMTP id 555198C8984 for ; Fri, 17 Mar 2006 18:13:04 +0800 (PHT) From: Dingo To: trustedbsd-discuss@FreeBSD.org Content-Type: text/plain Date: Fri, 17 Mar 2006 18:16:22 +0000 Message-Id: <1142619382.96750.6.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at bastille.optimhosts.com Subject: SEBSD MAC Kernel build - AMD64 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2006 15:08:54 -0000 seems x86 kernel and world build fine on the SEBSD tree as of today, so the devfs issues seems resolved. At least ive booted a MAC kernel on x86. make world builds/installs okay on AMD64 also, but building a MAC kernel doesnt work. cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -g -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/contrib/altq -D_KERNEL -DHAVE_KERNEL_OPTION_HEADERS -include opt_global.h -fno-common -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-omit-frame-pointer -mcmodel=kernel -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Werror /usr/src/sys/amd64/amd64/trap.c /usr/src/sys/amd64/amd64/trap.c: In function `syscall': /usr/src/sys/amd64/amd64/trap.c:828: warning: passing arg 2 of `mac_thread_syscall_enter' from incompatible pointer type /usr/src/sys/amd64/amd64/trap.c:833: warning: passing arg 2 of `mac_thread_syscall_exit' from incompatible pointer type /usr/src/sys/amd64/amd64/trap.c:840: warning: passing arg 2 of `mac_thread_syscall_enter' from incompatible pointer type /usr/src/sys/amd64/amd64/trap.c:845: warning: passing arg 2 of `mac_thread_syscall_exit' from incompatible pointer type *** Error code 1 Stop in /usr/obj/usr/src/sys/MAC. From owner-trustedbsd-discuss@FreeBSD.ORG Mon Mar 20 16:31:08 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C93116A41F for ; Mon, 20 Mar 2006 16:31:08 +0000 (UTC) (envelope-from Todd.Miller@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0237C43D6E for ; Mon, 20 Mar 2006 16:31:02 +0000 (GMT) (envelope-from Todd.Miller@sparta.com) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id k2KGV0ed023805; Mon, 20 Mar 2006 10:31:00 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id k2KGV03n030613; Mon, 20 Mar 2006 10:31:00 -0600 Received: from [127.0.0.1] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 20 Mar 2006 11:30:59 -0500 In-Reply-To: <1142619382.96750.6.camel@localhost.localdomain> References: <1142619382.96750.6.camel@localhost.localdomain> Mime-Version: 1.0 (Apple Message framework v746.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <4413AE6F-50E9-42A2-8DEE-CFABCFEEE800@sparta.com> Content-Transfer-Encoding: 7bit From: Todd Miller Date: Mon, 20 Mar 2006 11:30:57 -0500 To: Dingo X-Mailer: Apple Mail (2.746.3) X-OriginalArrivalTime: 20 Mar 2006 16:30:59.0399 (UTC) FILETIME=[ABB20570:01C64C3B] Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: SEBSD MAC Kernel build - AMD64 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2006 16:31:08 -0000 The arg parameters to mac_thread_syscall_* should probably be register_t * not int * so they match the machine word size. - todd From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 21 11:24:51 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4E6916A400 for ; Tue, 21 Mar 2006 11:24:51 +0000 (UTC) (envelope-from dingo@microbsd.net) Received: from bastille.optimhosts.com (bastille.optimhosts.com [203.177.161.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 548FB43D64 for ; Tue, 21 Mar 2006 11:24:45 +0000 (GMT) (envelope-from dingo@microbsd.net) Received: from localhost (bastille.local [127.0.0.1]) by bastille.optimhosts.com (Postfix) with ESMTP id 94FE28C84AA; Tue, 21 Mar 2006 19:20:35 +0800 (PHT) Received: from bastille.optimhosts.com ([127.0.0.1]) by localhost (bastille.optimhosts.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33479-01; Tue, 21 Mar 2006 19:20:06 +0800 (PHT) Received: from hp.optimlabs.com (unknown [210.213.197.25]) by bastille.optimhosts.com (Postfix) with ESMTP id DE41D8C8476; Tue, 21 Mar 2006 19:20:05 +0800 (PHT) From: Dingo To: Todd Miller In-Reply-To: <4413AE6F-50E9-42A2-8DEE-CFABCFEEE800@sparta.com> References: <1142619382.96750.6.camel@localhost.localdomain> <4413AE6F-50E9-42A2-8DEE-CFABCFEEE800@sparta.com> Content-Type: text/plain Date: Tue, 21 Mar 2006 19:23:27 +0800 Message-Id: <1142940208.96176.1.camel@hp.optimlabs.com> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at bastille.optimhosts.com Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: SEBSD MAC Kernel build - AMD64 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2006 11:24:51 -0000 After your checkin today I am running SEBSD on AMD64 it did compile and build a MAC kernel and booted fine. So far so good, ill get some testing thru both architectures. On Mon, 2006-03-20 at 11:30 -0500, Todd Miller wrote: > The arg parameters to mac_thread_syscall_* should probably be > register_t * > not int * so they match the machine word size. > > - todd From owner-trustedbsd-discuss@FreeBSD.ORG Mon Mar 27 10:49:36 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8030516A422 for ; Mon, 27 Mar 2006 10:49:36 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id CFC4A43D46 for ; Mon, 27 Mar 2006 10:49:22 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 26115 invoked by uid 502); 27 Mar 2006 10:31:27 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.23776 secs); 27 Mar 2006 10:31:27 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 27 Mar 2006 10:31:27 -0000 Date: Mon, 27 Mar 2006 18:41:33 +0800 From: zhouyi zhou To: trustedbsd-discuss@FreeBSD.org Message-Id: <20060327184133.5a35b20f.zhouyi04@ios.cn> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Subject: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2006 10:49:36 -0000 Hi, MAC Framework has conflict with IP firewall because in function ipfw_tick of file ip_fw2.c, the mbuf is created without MAC label being initialized and send directly to ip_output. Sincerely yours Zhouyi Zhou Institute of Software Chinese Academy of Sciences From owner-trustedbsd-discuss@FreeBSD.ORG Mon Mar 27 10:55:06 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9141A16A422 for ; Mon, 27 Mar 2006 10:55:06 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id E83D743D58 for ; Mon, 27 Mar 2006 10:54:39 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 25942 invoked by uid 502); 27 Mar 2006 10:30:03 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.21659 secs); 27 Mar 2006 10:30:03 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 27 Mar 2006 10:30:02 -0000 Date: Mon, 27 Mar 2006 18:40:13 +0800 From: zhouyi zhou To: trustedbsd-discuss@FreeBSD.org Message-Id: <20060327184013.6d60173c.zhouyi04@ios.cn> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Cc: freebsd-bugs@freebsd.org Subject: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Mar 2006 10:55:06 -0000 High everyone, there exists a serious bug in function ipsec_copypkt(m) of netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); 3470 if (mnew == NULL) 3471 goto fail; 3472 mnew->m_pkthdr = n->m_pkthdr; 3473 #if 0 3474 /* XXX: convert to m_tag or delete? */ 3475 if (n->m_pkthdr.aux) { 3476 mnew->m_pkthdr.aux = 3477 m_copym(n->m_pkthdr.aux, 3478 0, M_COPYALL, M_DONTWAIT); 3479 } 3480 #endif 3481 M_MOVE_PKTHDR(mnew, n); On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of cause). This will cause system to crash. After commenting out line 3472, everything is OK. Sincerely yours Zhouyi Zhou Institute of Software Chinese Academy of Sciences From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 10:02:40 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BCBF16A41F; Tue, 28 Mar 2006 10:02:40 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id AAAE143D48; Tue, 28 Mar 2006 10:02:39 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 5085346BB6; Tue, 28 Mar 2006 05:02:39 -0500 (EST) Date: Tue, 28 Mar 2006 10:02:39 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: zhouyi zhou In-Reply-To: <20060327184013.6d60173c.zhouyi04@ios.cn> Message-ID: <20060328095916.A19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: gnn@FreeBSD.org, freebsd-bugs@freebsd.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:02:40 -0000 On Mon, 27 Mar 2006, zhouyi zhou wrote: > High everyone, there exists a serious bug in function ipsec_copypkt(m) of > netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 > > 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > 3470 if (mnew == NULL) > 3471 goto fail; > 3472 mnew->m_pkthdr = n->m_pkthdr; > 3473 #if 0 > 3474 /* XXX: convert to m_tag or delete? */ > 3475 if (n->m_pkthdr.aux) { > 3476 mnew->m_pkthdr.aux = > 3477 m_copym(n->m_pkthdr.aux, > 3478 0, M_COPYALL, M_DONTWAIT); > 3479 } > 3480 #endif > 3481 M_MOVE_PKTHDR(mnew, n); > > On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in > function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of > cause). This will cause system to crash. > > After commenting out line 3472, everything is OK. Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary work, including copying the fields referenced in 3472, as well as handling existing m_tags right. I've attached a patch with your proposal, which looks and sounds good to me, and CC'd George and Bjoern in the hopes that one of them will give it a node of approval before I commit it -- hopefully we can get this MFC'd for 6.1-RELEASE. Robert N M Watson Index: ipsec.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v retrieving revision 1.43 diff -u -r1.43 ipsec.c --- ipsec.c 25 Jul 2005 12:31:42 -0000 1.43 +++ ipsec.c 28 Mar 2006 09:58:54 -0000 @@ -3469,15 +3469,6 @@ MGETHDR(mnew, M_DONTWAIT, MT_HEADER); if (mnew == NULL) goto fail; - mnew->m_pkthdr = n->m_pkthdr; -#if 0 - /* XXX: convert to m_tag or delete? */ - if (n->m_pkthdr.aux) { - mnew->m_pkthdr.aux = - m_copym(n->m_pkthdr.aux, - 0, M_COPYALL, M_DONTWAIT); - } -#endif M_MOVE_PKTHDR(mnew, n); } else { From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 10:18:38 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28CF316A426 for ; Tue, 28 Mar 2006 10:18:38 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F86C43D45 for ; Tue, 28 Mar 2006 10:18:29 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 6064 invoked by uid 502); 28 Mar 2006 10:00:10 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.138975 secs); 28 Mar 2006 10:00:10 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 28 Mar 2006 10:00:10 -0000 Date: Tue, 28 Mar 2006 18:10:02 +0800 From: zhouyi zhou To: Robert Watson Message-Id: <20060328181002.1c8c5691.zhouyi04@ios.cn> In-Reply-To: <20060328095916.A19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Cc: gnn@FreeBSD.org, freebsd-bugs@freebsd.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:18:38 -0000 Dear Watson, It is my pleasure, is any one willing to settle the mbuf without label initialized problem in function ipfw_tick? if there is none, I am willing to do it. Sincerely yours Zhouyi Zhou On Tue, 28 Mar 2006 10:02:39 +0000 (GMT) Robert Watson wrote: > > On Mon, 27 Mar 2006, zhouyi zhou wrote: > > > High everyone, there exists a serious bug in function ipsec_copypkt(m) of > > netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 > > > > 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > > 3470 if (mnew == NULL) > > 3471 goto fail; > > 3472 mnew->m_pkthdr = n->m_pkthdr; > > 3473 #if 0 > > 3474 /* XXX: convert to m_tag or delete? */ > > 3475 if (n->m_pkthdr.aux) { > > 3476 mnew->m_pkthdr.aux = > > 3477 m_copym(n->m_pkthdr.aux, > > 3478 0, M_COPYALL, M_DONTWAIT); > > 3479 } > > 3480 #endif > > 3481 M_MOVE_PKTHDR(mnew, n); > > > > On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in > > function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of > > cause). This will cause system to crash. > > > > After commenting out line 3472, everything is OK. > > Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary work, > including copying the fields referenced in 3472, as well as handling existing > m_tags right. I've attached a patch with your proposal, which looks and > sounds good to me, and CC'd George and Bjoern in the hopes that one of them > will give it a node of approval before I commit it -- hopefully we can get > this MFC'd for 6.1-RELEASE. > > Robert N M Watson > > Index: ipsec.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v > retrieving revision 1.43 > diff -u -r1.43 ipsec.c > --- ipsec.c 25 Jul 2005 12:31:42 -0000 1.43 > +++ ipsec.c 28 Mar 2006 09:58:54 -0000 > @@ -3469,15 +3469,6 @@ > MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > if (mnew == NULL) > goto fail; > - mnew->m_pkthdr = n->m_pkthdr; > -#if 0 > - /* XXX: convert to m_tag or delete? */ > - if (n->m_pkthdr.aux) { > - mnew->m_pkthdr.aux = > - m_copym(n->m_pkthdr.aux, > - 0, M_COPYALL, M_DONTWAIT); > - } > -#endif > M_MOVE_PKTHDR(mnew, n); > } > else { > From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 10:21:57 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB4DE16A401; Tue, 28 Mar 2006 10:21:57 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38BE543D45; Tue, 28 Mar 2006 10:21:56 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (net-ix.gw.ai.net [205.134.160.6] (may be forged)) (authenticated bits=0) by pittgoth.com (8.13.4/8.13.4) with ESMTP id k2SBIh88077713 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 28 Mar 2006 06:18:43 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Tue, 28 Mar 2006 05:21:50 -0500 From: Tom Rhodes To: Robert Watson Message-Id: <20060328052150.5f96e147.trhodes@FreeBSD.org> In-Reply-To: <20060328095916.A19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> X-Mailer: Sylpheed version 1.0.5 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: gnn@FreeBSD.org, freebsd-bugs@FreeBSD.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org, zhouyi04@ios.cn Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:21:57 -0000 On Tue, 28 Mar 2006 10:02:39 +0000 (GMT) Robert Watson wrote: > > On Mon, 27 Mar 2006, zhouyi zhou wrote: > > > High everyone, there exists a serious bug in function ipsec_copypkt(m) of > > netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 > > > > 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > > 3470 if (mnew == NULL) > > 3471 goto fail; > > 3472 mnew->m_pkthdr = n->m_pkthdr; > > 3473 #if 0 > > 3474 /* XXX: convert to m_tag or delete? */ > > 3475 if (n->m_pkthdr.aux) { > > 3476 mnew->m_pkthdr.aux = > > 3477 m_copym(n->m_pkthdr.aux, > > 3478 0, M_COPYALL, M_DONTWAIT); > > 3479 } > > 3480 #endif > > 3481 M_MOVE_PKTHDR(mnew, n); > > > > On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in > > function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of > > cause). This will cause system to crash. > > > > After commenting out line 3472, everything is OK. > > Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary work, > including copying the fields referenced in 3472, as well as handling existing > m_tags right. I've attached a patch with your proposal, which looks and > sounds good to me, and CC'd George and Bjoern in the hopes that one of them > will give it a node of approval before I commit it -- hopefully we can get > this MFC'd for 6.1-RELEASE. > > Robert N M Watson > Should also close kern/94599 -- Tom Rhodes From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 10:30:16 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11C8A16A422; Tue, 28 Mar 2006 10:30:16 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 643EF43D49; Tue, 28 Mar 2006 10:30:13 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id D6F3046BA0; Tue, 28 Mar 2006 05:30:12 -0500 (EST) Date: Tue, 28 Mar 2006 10:30:12 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: zhouyi zhou In-Reply-To: <20060328181002.1c8c5691.zhouyi04@ios.cn> Message-ID: <20060328102522.S19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> <20060328181002.1c8c5691.zhouyi04@ios.cn> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: gnn@FreeBSD.org, freebsd-bugs@freebsd.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:30:16 -0000 On Tue, 28 Mar 2006, zhouyi zhou wrote: > It is my pleasure, is any one willing to settle the mbuf without label > initialized problem in function ipfw_tick? if there is none, I am willing to > do it. I took a quick glance at that one, need to look at it some more. The tricky thing is figuring out what label to assign. ipfw_tick() appears to use send_pkt() to generate keeplives; this function is also used to generate RST's. In the RST case, we have existing MAC entry points to generate the label of a replying RST to a TCP segment, and should use that. In the case where a keepalive is spontaneously generated by the firewall rule, that's a little more tricky. One possibility is that ipfw needs to learn about associating MAC labels with IPFW dynamic rules. Another possibility is that IPFW should use the a label assigned for spontaneously generated packets. The former is certainly more complicated to implement, but is more what one actually wants, whereas the latter is easy to implement, but means that the keepalive might not actually be delivered to the end socket because the label might not match. If you have time to look at this, that would be great -- I'm pretty occupied for the next few days, and it would be very good to get a fix into the RELENG_5 and RELENG_6 trees before their respective releases in the next couple of weeks. I'm not entirely sure why ipfw2 is generating keepalives -- normally, it strikes me that that is something the two end hosts would do, not the intermediate firewall. Thanks, Robert N M Watson > On Tue, 28 Mar 2006 10:02:39 +0000 (GMT) > Robert Watson wrote: > >> >> On Mon, 27 Mar 2006, zhouyi zhou wrote: >> >>> High everyone, there exists a serious bug in function ipsec_copypkt(m) of >>> netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 >>> >>> 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); >>> 3470 if (mnew == NULL) >>> 3471 goto fail; >>> 3472 mnew->m_pkthdr = n->m_pkthdr; >>> 3473 #if 0 >>> 3474 /* XXX: convert to m_tag or delete? */ >>> 3475 if (n->m_pkthdr.aux) { >>> 3476 mnew->m_pkthdr.aux = >>> 3477 m_copym(n->m_pkthdr.aux, >>> 3478 0, M_COPYALL, M_DONTWAIT); >>> 3479 } >>> 3480 #endif >>> 3481 M_MOVE_PKTHDR(mnew, n); >>> >>> On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in >>> function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of >>> cause). This will cause system to crash. >>> >>> After commenting out line 3472, everything is OK. >> >> Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary work, >> including copying the fields referenced in 3472, as well as handling existing >> m_tags right. I've attached a patch with your proposal, which looks and >> sounds good to me, and CC'd George and Bjoern in the hopes that one of them >> will give it a node of approval before I commit it -- hopefully we can get >> this MFC'd for 6.1-RELEASE. >> >> Robert N M Watson >> >> Index: ipsec.c >> =================================================================== >> RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v >> retrieving revision 1.43 >> diff -u -r1.43 ipsec.c >> --- ipsec.c 25 Jul 2005 12:31:42 -0000 1.43 >> +++ ipsec.c 28 Mar 2006 09:58:54 -0000 >> @@ -3469,15 +3469,6 @@ >> MGETHDR(mnew, M_DONTWAIT, MT_HEADER); >> if (mnew == NULL) >> goto fail; >> - mnew->m_pkthdr = n->m_pkthdr; >> -#if 0 >> - /* XXX: convert to m_tag or delete? */ >> - if (n->m_pkthdr.aux) { >> - mnew->m_pkthdr.aux = >> - m_copym(n->m_pkthdr.aux, >> - 0, M_COPYALL, M_DONTWAIT); >> - } >> -#endif >> M_MOVE_PKTHDR(mnew, n); >> } >> else { >> > From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 11:36:29 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3A3616A423 for ; Tue, 28 Mar 2006 11:36:29 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id A179143D5A for ; Tue, 28 Mar 2006 11:36:22 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 18499 invoked by uid 501); 28 Mar 2006 11:18:09 -0000 Message-ID: <20060328111809.18498.qmail@abyss.iscas.cn> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> <20060328181002.1c8c5691.zhouyi04@ios.cn> <20060328102522.S19236@fledge.watson.org> In-Reply-To: <20060328102522.S19236@fledge.watson.org> From: zhouyi04@ios.cn To: Robert Watson Date: Tue, 28 Mar 2006 19:18:08 +0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset="gb2312" Content-Transfer-Encoding: 7bit Cc: gnn@FreeBSD.org, freebsd-bugs@freebsd.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 11:36:29 -0000 I am quite occupied too :), but I am trying to use my spare time to look it over. Hope we can settle it soon. Sincerely yours Zhouyi Zhou >Robert Watson writes: > > On Tue, 28 Mar 2006, zhouyi zhou wrote: > >> It is my pleasure, is any one willing to settle the mbuf without label >> initialized problem in function ipfw_tick? if there is none, I am willing >> to do it. > > I took a quick glance at that one, need to look at it some more. The > tricky thing is figuring out what label to assign. ipfw_tick() appears to > use send_pkt() to generate keeplives; this function is also used to > generate RST's. In the RST case, we have existing MAC entry points to > generate the label of a replying RST to a TCP segment, and should use > that. In the case where a keepalive is spontaneously generated by the > firewall rule, that's a little more tricky. One possibility is that ipfw > needs to learn about associating MAC labels with IPFW dynamic rules. > Another possibility is that IPFW should use the a label assigned for > spontaneously generated packets. The former is certainly more complicated > to implement, but is more what one actually wants, whereas the latter is > easy to implement, but means that the keepalive might not actually be > delivered to the end socket because the label might not match. If you > have time to look at this, that would be great -- I'm pretty occupied for > the next few days, and it would be very good to get a fix into the > RELENG_5 and RELENG_6 trees before their respective releases in the next > couple of weeks. > > I'm not entirely sure why ipfw2 is generating keepalives -- normally, it > strikes me that that is something the two end hosts would do, not the > intermediate firewall. > > Thanks, > > Robert N M Watson > > >> On Tue, 28 Mar 2006 10:02:39 +0000 (GMT) >> Robert Watson wrote: >> >>> >>> On Mon, 27 Mar 2006, zhouyi zhou wrote: >>> >>>> High everyone, there exists a serious bug in function ipsec_copypkt(m) >>>> of >>>> netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 >>>> >>>> 3469 MGETHDR(mnew, M_DONTWAIT, >>>> MT_HEADER); >>>> 3470 if (mnew == NULL) >>>> 3471 goto fail; >>>> 3472 mnew->m_pkthdr = >>>> n->m_pkthdr; >>>> 3473 #if 0 >>>> 3474 /* XXX: convert to m_tag >>>> or delete? */ >>>> 3475 if (n->m_pkthdr.aux) { >>>> 3476 mnew->m_pkthdr.aux >>>> = >>>> 3477 >>>> m_copym(n->m_pkthdr.aux, >>>> 3478 0, M_COPYALL, >>>> M_DONTWAIT); >>>> 3479 } >>>> 3480 #endif >>>> 3481 M_MOVE_PKTHDR(mnew, n); >>>> >>>> On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, >>>> in >>>> function m_move_pkthdr, mnew's tag list will be delete (and the n's tag >>>> of >>>> cause). This will cause system to crash. >>>> >>>> After commenting out line 3472, everything is OK. >>> >>> Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary >>> work, >>> including copying the fields referenced in 3472, as well as handling >>> existing >>> m_tags right. I've attached a patch with your proposal, which looks and >>> sounds good to me, and CC'd George and Bjoern in the hopes that one of >>> them >>> will give it a node of approval before I commit it -- hopefully we can >>> get >>> this MFC'd for 6.1-RELEASE. >>> >>> Robert N M Watson >>> >>> Index: ipsec.c >>> =================================================================== >>> RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v >>> retrieving revision 1.43 >>> diff -u -r1.43 ipsec.c >>> --- ipsec.c 25 Jul 2005 12:31:42 -0000 1.43 >>> +++ ipsec.c 28 Mar 2006 09:58:54 -0000 >>> @@ -3469,15 +3469,6 @@ >>> MGETHDR(mnew, M_DONTWAIT, MT_HEADER); >>> if (mnew == NULL) >>> goto fail; >>> - mnew->m_pkthdr = n->m_pkthdr; >>> -#if 0 >>> - /* XXX: convert to m_tag or delete? */ >>> - if (n->m_pkthdr.aux) { >>> - mnew->m_pkthdr.aux = >>> - m_copym(n->m_pkthdr.aux, >>> - 0, M_COPYALL, M_DONTWAIT); >>> - } >>> -#endif >>> M_MOVE_PKTHDR(mnew, n); >>> } >>> else { >>> >> From owner-trustedbsd-discuss@FreeBSD.ORG Tue Mar 28 11:40:54 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B9B016A401; Tue, 28 Mar 2006 11:40:54 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from mrout2-b.corp.dcn.yahoo.com (mrout2-b.corp.dcn.yahoo.com [216.109.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9ED6743D45; Tue, 28 Mar 2006 11:40:53 +0000 (GMT) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (proxy7.corp.yahoo.com [216.145.48.98]) by mrout2-b.corp.dcn.yahoo.com (8.13.6/8.13.4/y.out) with ESMTP id k2SBeVpZ068862; Tue, 28 Mar 2006 03:40:32 -0800 (PST) Date: Tue, 28 Mar 2006 19:40:25 +0800 Message-ID: From: gnn@FreeBSD.org To: Robert Watson In-Reply-To: <20060328095916.A19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-apple-darwin8.5.1) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-bugs@FreeBSD.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org, zhouyi zhou Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 11:40:54 -0000 At Tue, 28 Mar 2006 10:02:39 +0000 (GMT), rwatson wrote: > Thanks for this report! The M_MOVE_PKTHDR() should do all the > necessary work, including copying the fields referenced in 3472, as > well as handling existing m_tags right. I've attached a patch with > your proposal, which looks and sounds good to me, and CC'd George > and Bjoern in the hopes that one of them will give it a node of > approval before I commit it -- hopefully we can get this MFC'd for > 6.1-RELEASE. Looks good to me. Later, George From owner-trustedbsd-discuss@FreeBSD.ORG Fri Mar 31 01:07:04 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F107616A401 for ; Fri, 31 Mar 2006 01:07:04 +0000 (UTC) (envelope-from valentynetto@linux.com.my) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 831E843D45 for ; Fri, 31 Mar 2006 01:07:04 +0000 (GMT) (envelope-from valentynetto@linux.com.my) Received: from linux.com.my (69.Red-88-8-8.dynamicIP.rima-tde.net [88.8.8.69]) by cyrus.watson.org (Postfix) with SMTP id 34EC246B0F for ; Thu, 30 Mar 2006 20:06:50 -0500 (EST) Message-ID: <000001c6545f$51973c50$80eaa8c0@gzj15> From: "Valentina Netto" To: trustedbsd-discuss@trustedbsd.org Date: Thu, 30 Mar 2006 20:06:19 -0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: news day X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Valentina Netto List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 01:07:05 -0000 De Y ar Home Ow D ner ,=20 =20 Your c 8 red L it doesn't matter to us !=20 =20 Your c F redi b t doesn't matter to us ! If you O 2 WN real e I st H at y e=20 and want IMMED h IA B TE ca Q sh to spen B d ANY way you like, or simply wish=20 to LO E WER your monthly p 7 aymen 1 ts by a third or more, here are the d a eaI b s=20 we have T t OD E AY :=20 =20 $ 48 P 8,000 at a 3 Y ,67% f 1 ixed - ra s te=20 $ 3 6 72,000 at a 3, T 90% variabl L e - ra A te=20 $ 4 d 92,000 at a 3 x ,21% int a ere s st - onl d y=20 $ 24 e 8,000 at a 3,3 U 6% f O ixed - rat e e=20 $ 1 Y 98,000 at a 3 G ,55% v U ariable - ra l te=20 =20 H s urry, when these d M eaI p s are gone, they are gone ! =20 Don't worry about approv f al, your cred o it will not di v squal 8 ify you !=20 =20 V m isi Q t our s a ite =20 =20 Sincerely, Valentina Netto =20 Ap Z pr v oval Manager From owner-trustedbsd-discuss@FreeBSD.ORG Wed Apr 26 00:07:30 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4FDB16A401 for ; Wed, 26 Apr 2006 00:07:30 +0000 (UTC) (envelope-from viktorkallinikov@googlemail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEC7743D5A for ; Wed, 26 Apr 2006 00:07:29 +0000 (GMT) (envelope-from viktorkallinikov@googlemail.com) Received: by nz-out-0102.google.com with SMTP id 9so1183190nzo for ; Tue, 25 Apr 2006 17:07:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=f+SY8EEImTYrlsDRm27h4iPbnwPs2Wf8Xysg9PvhvBNsRJXcPyc0+jHjRoW25S1WCibBPyHqAYUKD8oR0tRY5RV2ewxmjEE1mE4jIpx5CXjL/b4LUWuQoOG4I9c3TXZgV++Ns5Wrt157zIAwBe8LQOcB5flxXucwG2TSUjvDXt8= Received: by 10.65.95.6 with SMTP id x6mr287674qbl; Tue, 25 Apr 2006 17:07:29 -0700 (PDT) Received: by 10.65.98.12 with HTTP; Tue, 25 Apr 2006 17:07:29 -0700 (PDT) Message-ID: <7a8ada600604251707s59e94bffp8fbdf27d4834a6e4@mail.gmail.com> Date: Wed, 26 Apr 2006 01:07:29 +0100 From: "Viktor Kallinikov" To: trustedbsd-discuss@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Subject: POSIX capabilities X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Apr 2006 00:07:30 -0000 How to enable POSIX capabilities in kernel ? thank you, From owner-trustedbsd-discuss@FreeBSD.ORG Fri Apr 28 13:22:36 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C5D516A417 for ; Fri, 28 Apr 2006 13:22:36 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B11CC43D48 for ; Fri, 28 Apr 2006 13:22:35 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 54D8646C72; Fri, 28 Apr 2006 09:22:35 -0400 (EDT) Date: Fri, 28 Apr 2006 14:22:35 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Viktor Kallinikov In-Reply-To: <7a8ada600604251707s59e94bffp8fbdf27d4834a6e4@mail.gmail.com> Message-ID: <20060428141810.Y40418@fledge.watson.org> References: <7a8ada600604251707s59e94bffp8fbdf27d4834a6e4@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@freebsd.org Subject: Re: POSIX capabilities X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Apr 2006 13:22:36 -0000 On Wed, 26 Apr 2006, Viktor Kallinikov wrote: > How to enable POSIX capabilities in kernel ? Right now, POSIX.1e capabilities aren't merged into the base FreeBSD source tree. There are actually two sets of outstanding changes relating to this: (1) The TrustedBSD capabilities development tree, trustedbsd_cap, which was created several years ago and is based on a version of FreeBSD 5.x. This contains a relatively complete implementation of POSIX.1e capabilities (privileges), including support for marking binaries as granting privileges, etc. (2) In the TrustedBSD SEBSD branch, there are changes to the MAC Framework to allow MAC policy modules to restrict access to specific POSIX.1e capabilities (privileges); this allows policy modules to (at a broad level) control privilege in the system, but doesn't permit granting of privilege (currently). The reason we deferred further work on the implementation of (1) is that it had reached the point where we had to make an integration decision, and we did not convince ourselves that the benefits of the implementation outweighed the risks of modifying the OS privilege model. The subset approach being adopted in (2) paves the way for allowing the privilege model to be plugged in without a whole-sale adaptation of the remainder of the OS, and is probably the better way to go. At the upcoming FreeBSD developer summit, a discussion of privilege APIs in the kernel is on the table, and will probably result in the adoption of a replacement for suser(). The main problem with cap_check() as a replacement for suser is that it fails to offer much more useful granularity for many of the most important privileges in the OS. My current thinking is that we'll end up with a couple of different privilege APIs that offer greater granularity in various subsystems, which can then be plugged using the MAC Framework (or something along those lines). Robert N M Watson From owner-trustedbsd-discuss@FreeBSD.ORG Sat May 6 12:11:54 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D6A616A400; Sat, 6 May 2006 12:11:54 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7FF143D45; Sat, 6 May 2006 12:11:53 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 6A01746B03; Sat, 6 May 2006 08:11:53 -0400 (EDT) Date: Sat, 6 May 2006 13:11:53 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org, trustedbsd-audit@TrustedBSD.org Message-ID: <20060506131100.Y17611@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: [FreeBSD-Announce] Summer of Code Application Deadline in 1 week (fwd) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 May 2006 12:11:54 -0000 Just as a reminder, the summer of code application deadline is approaching rapidly. There's lots of room for original work proposals for students interested in getting paid to to TrustedBSD work this summer (or winter, if you're in the Southern Hemisphere :-). Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 1 May 2006 13:22:52 -0700 From: Murray Stokely To: announce@FreeBSD.org Subject: [FreeBSD-Announce] Summer of Code Application Deadline in 1 week The Summer of Code application process has officially begun. This is an excellent opportunity for students to get involved with improving FreeBSD. Successful student applicants will receive $4,500 in funding from Google, will be granted an account on the FreeBSD.org Perforce revision control system, and will receive an @freebsd.org mail forward to help interact with other FreeBSD developers this summer. We have identified a number of senior developers to serve as mentors to introduce students to contributing to FreeBSD. We have also identified some example project ideas and guidelines for writing a good proposal on our Summer of Code web page : http://www.freebsd.org/projects/summerofcode.html There you will find a partial list of example proposal ideas in all areas of operating system design, including networking, filesystems, installation tools, parallel programming, security research and more. Once a suitable project and mentor have been identified, interested students should complete a proposal and submit it to Google. Proposals are now being accepted and the final deadline is May 8, 2006 at 17:00 Pacific Daylight Time (midnight May 9, 2006 0:00 UTC). Winning candidates will be announced in late May. Interacting with a global team of open source developers in a centralized revision control system is excellent preparation for a future career as a software engineer. Many of the students that participated last year are still contributing code to FreeBSD. For additional information about this program, please see the student frequently asked questions page: http://code.google.com/soc/studentfaq.html Thanks and good luck! - Murray Stokely _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" From owner-trustedbsd-discuss@FreeBSD.ORG Wed May 10 09:44:30 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97A5516A400 for ; Wed, 10 May 2006 09:44:30 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id B66B543D45 for ; Wed, 10 May 2006 09:44:29 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 26414 invoked by uid 502); 10 May 2006 09:22:08 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.122561 secs); 10 May 2006 09:22:08 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 10 May 2006 09:22:07 -0000 Date: Wed, 10 May 2006 17:44:16 +0800 From: zhouyi zhou To: trustedbsd-discuss@FreeBSD.org Message-Id: <20060510174416.597c3b5f.zhouyi04@ios.cn> In-Reply-To: <005401c67377$cf93a4e0$1c00a8c0@panxj> References: <000001c6736f$409db800$26024dd2@n610c> <005401c67377$cf93a4e0$1c00a8c0@panxj> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Subject: Using modified db_trace_self to show MAC Framework's denial information X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 09:44:30 -0000 Dear Colleques, TrustedBSD's MAC Framework lacks enough denial information in access control. For example, in SEBSD's avc deny information, only inode number was shown for an ordinary file access. This is due to the structure of UFS (which lack d_entry as ext2fs do). I suggest modifying ddb's db_trace_self facility to show vnode's corresponding path name. Take kern_stat for example: db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc) const char *name; int narg; char **argnp; int *argp; db_addr_t callpc; { if (!strcmp(name,"kern_stat")){ db_printf("%s: ", name); int i = 1; while (narg) { if (i == 1) db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm); if (i == 2) db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE))); argp++; i++; --narg; } db_printf("\n"); return; } return; } You can implement many others such as kern_open to print the pathname of the access denied inode. This may not be the best soluation, but it is indeed a solution. Sincerely yours Zhouyi Zhou From owner-trustedbsd-discuss@FreeBSD.ORG Wed May 10 09:42:27 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1819716A400 for ; Wed, 10 May 2006 09:42:27 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E28E43D45 for ; Wed, 10 May 2006 09:42:10 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 25814 invoked by uid 502); 10 May 2006 09:19:39 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.123809 secs); 10 May 2006 09:19:39 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 10 May 2006 09:19:39 -0000 Date: Wed, 10 May 2006 17:41:47 +0800 From: zhouyi zhou To: trustedbsd-discuss@FreeBSD.org,rwatson@FreeBSD.org Message-Id: <20060510174147.254cc82f.zhouyi04@ios.cn> In-Reply-To: <005401c67377$cf93a4e0$1c00a8c0@panxj> References: <000001c6736f$409db800$26024dd2@n610c> <005401c67377$cf93a4e0$1c00a8c0@panxj> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: X-Mailman-Approved-At: Wed, 10 May 2006 11:43:51 +0000 Cc: denglingli@ercist.iscas.ac.cn, jjh_in_2006@ercist.iscas.ac.cn, qinghua02@iscas.cn, jiayong02@iscas.cn, gushaow@ercist.iscas.ac.cn, szg@ercist.iscas.ac.cn, hgu@ercist.iscas.ac.cn, gongwen@ercist.iscas.ac.cn, xuejian03@iscas.cn, liuwei04@iscas.cn, zhangqian04@mails.gucas.ac.cn, bowenzhou04@mails.gucas.ac.cn, fedora@ercist.iscas.ac.cn, zhangqian@ercist.iscas.ac.cn, mayong@ercist.iscas.ac.cn, fengjianru@ercist.iscas.ac.cn, Qinghua02@ios.cn, tjguhao@yahoo.com.cn, chunyang03@ios.cn, wolfheader@ercist.iscas.ac.cn, qmzhou@ercist.iscas.ac.cn, shangjie.li@gmail.com, zenghaitao@itechs.iscas.ac.cn, julian@ercist.iscas.ac.cn, yanjun03@iscas.cn, ldm@ercist.iscas.ac.cn, ccxu@ercist.iscas.ac.cn, qufuping@ercist.iscas.ac.cn, shangjie02@iscas.cn, xinsong03@ios.cn, zhoubowen@itechs.iscas.ac.cn, liuwei@ercist.iscas.ac.cn, joey_try@ercist.iscas.ac.cn Subject: Using modified db_trace_self to show MAC Framework's denial information X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 09:42:27 -0000 Dear Colleques, TrustedBSD's MAC Framework lacks enough denial information in access control. For example, in SEBSD's avc deny information, only inode number was shown for an ordinary file access. This is due to the structure of UFS (which lack d_entry as ext2fs do). I suggest modifying ddb's db_trace_self facility to show vnode's corresponding path name. Take kern_stat for example: db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc) const char *name; int narg; char **argnp; int *argp; db_addr_t callpc; { if (!strcmp(name,"kern_stat")){ db_printf("%s: ", name); int i = 1; while (narg) { if (i == 1) db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm); if (i == 2) db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE))); argp++; i++; --narg; } db_printf("\n"); return; } return; } You can implement many others such as kern_open to print the pathname of the access denied inode. This may not be the best soluation, but it is indeed a solution. Sincerely yours Zhouyi Zhou From owner-trustedbsd-discuss@FreeBSD.ORG Sun May 14 12:38:43 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A38E16A405 for ; Sun, 14 May 2006 12:38:43 +0000 (UTC) (envelope-from millerfor@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 122EB43D6B for ; Sun, 14 May 2006 12:38:34 +0000 (GMT) (envelope-from millerfor@gmail.com) Received: by nf-out-0910.google.com with SMTP id y25so534524nfb for ; Sun, 14 May 2006 05:38:33 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Zl0dS20RMHtH4pbNdjDbWxR3oPMrI19FX06MzwQWJTAAXBK+Lz5xhd+lKtHFw1luc7krPwTpuz+rR5KyeVyFdPChQPp9/4WTrp3GSWVnPQ3i76IF3uVHEpbldoax4+sHdz1Xr0ORKPU59VJSc00ytfd/IdmgmHtELoXtt3f8lhM= Received: by 10.48.217.20 with SMTP id p20mr2684046nfg; Sun, 14 May 2006 05:38:33 -0700 (PDT) Received: by 10.48.242.2 with HTTP; Sun, 14 May 2006 05:38:33 -0700 (PDT) Message-ID: Date: Sun, 14 May 2006 20:38:33 +0800 From: "=?GB2312?B?ssy8ztPC?=" To: trustedbsd-discuss@freebsd.org In-Reply-To: MIME-Version: 1.0 References: <000001c6736f$409db800$26024dd2@n610c> <005401c67377$cf93a4e0$1c00a8c0@panxj> <20060510174147.254cc82f.zhouyi04@ios.cn> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Using modified db_trace_self to show MAC Framework's denial information X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 12:38:43 -0000 I faced a difficulty! I want all inode access information, so I used the same method as db_trace to trace through td_frame ... After several days testing, I found that the arguments passed into syscall may be changed throughout running, below is my result: #### I reserved a copy in thread sructure through bcopy like ktrace_syscall if (params !=3D NULL && narg !=3D 0) bcopy((const void*)args, (void *)(td->syscall_args), /* int syscall_args[8] in sys/proc.h*/ (u_int)(narg * sizeof(int))); #### in my own trace function: void print_syscall_details(struct thread * td){ char * path =3D (char *)td->syscall_args[0]; swtich(td->td_frame->tf_eax) case open: .... } the result is that open stat and etc syscalls can print out right file path= , However execve() not always from ddb information it seems that the memory allocated for containing the path has been removed causing to page fault trace to execve() source code I found that this syscall will invoke execve_copyin_args(...) allocating enough memory and copying the string in trace open() not find such kind copyin action!!!!!!! it just make nameidata->ni_dirp point to user space address I do not know whether freebsd scheduler allows proc kernel code(syscall) parallel running with user space code?????? 2006/5/10, zhouyi zhou : > Dear Colleques, > TrustedBSD's MAC Framework lacks enough denial information in access > control. > For example, in SEBSD's avc deny information, only inode number was shown > for an > ordinary file access. This is due to the structure of UFS (which lack > d_entry as > ext2fs do). > I suggest modifying ddb's db_trace_self facility to show vnode's > corresponding > path name. > Take kern_stat for example: > db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, > callpc) > const char *name; > int narg; > char **argnp; > int *argp; > db_addr_t callpc; > { > if (!strcmp(name,"kern_stat")){ > db_printf("%s: ", name); > int i =3D 1; > while (narg) { > if (i =3D=3D 1) > db_printf("executable =3D %s ",((struct thread *) > db_get_value((int)argp, 4, FALSE))->td_proc->p_comm); > if (i =3D=3D 2) > db_printf("path =3D %s ",((char *) db_get_value((int)argp, 4, > FALSE))); > argp++; > i++; > --narg; > > } > db_printf("\n"); > return; > } > return; > } > You can implement many others such as kern_open to print the pathname o= f > the access denied inode. > > This may not be the best soluation, but it is indeed a solution. > > Sincerely yours > Zhouyi Zhou > > _______________________________________________ > trustedbsd-discuss@FreeBSD.org mailing list > http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss > To unsubscribe, send any mail to " > trustedbsd-discuss-unsubscribe@FreeBSD.org" > From owner-trustedbsd-discuss@FreeBSD.ORG Fri Jun 9 08:41:42 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6220616A41B for ; Fri, 9 Jun 2006 08:41:42 +0000 (UTC) (envelope-from tkv@tca-us.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1483743D73 for ; Fri, 9 Jun 2006 08:41:42 +0000 (GMT) (envelope-from tkv@tca-us.com) Received: from SpeedTouch.lan (abti126.neoplus.adsl.tpnet.pl [83.8.154.126]) by cyrus.watson.org (Postfix) with ESMTP id 711AC46CD2; Fri, 9 Jun 2006 04:41:41 -0400 (EDT) Message-ID: <662161c80604YV8F3Z1ZNE68SWF7CE4BSYJ9905Y57XY@tca-us.com> Date: Fri, 9 Jun 2006 08:41:42 -0060 From: "Jenifer Bond" To: trustedbsd-discuss@trustedbsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Spam: Not detected Cc: Subject: FWD: TopWeeks the wire daily news X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 08:41:42 -0000 Great News Expec ted! Infinex Ventures Inc. (INFX) Price: 0.55 Up 5% today 5 day expected price 1.90 Already started to climb. This one did very well during last marketing campaign. Very Well! OVERVIEW Aggressive and energetic, Infinex boasts a dynamic and diversified portfolio of operations across North America, with an eye on international expansion. Grounded in natural resource exploration, Inifinex also offers investors access to exciting new developments in the high-tech sector and the booming international real estate market. Our market based experience, tenacious research techniques, and razor sharp analytical skills allow us to leverage opportunities in emerging markets and developing technologies. Identifying these opportunities in the earliest stages allows us to accelerate business development and fully realize the companys true potential. Maximizing overall profitability and in turn enhancing shareholder value. Current Press Release Infinex Announces Extension to Its Agreement in Chile Infinex Ventures Inc. ("the Company") and its Board of Directors are pleased to announce that the Company has received an extension (90 days) to its Agreement for the due diligence period, in an effort to fully verify the offered title and all additional documentation, including but not limited to, Trial C-1912- 2001 at the 14th Civil Court of Santiago and Criminal Trial 1160-2002 at the 19th Court of Crime of Santiago of Chile, Ministry of Mines of Chile over its sole and exclusive right to acquire a 50% interest in the Tesoro 1-12 Mining Claims. Infinex Announces Joint Venture and Option Agreement Extension Infinex Ventures Inc. and its Board of Directors are please to announce that the Company has been granted an extension of 120 days to fulfill its contractual obligations under the Joint Venture and Option Agreement dated June 14, 2004 on the Texada Island "Yew Group" Mining Claims: The Yew Claims are located on Texada Island, B.C. This region has a long history of mining dating back to 1876. Several high grade copper gold skarns were mined in the area. The geology of the Yew Claims can be found in MINFILE 092F/516. From owner-trustedbsd-discuss@FreeBSD.ORG Sat Jun 17 21:59:28 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A43616A479 for ; Sat, 17 Jun 2006 21:59:28 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC89C43D6A for ; Sat, 17 Jun 2006 21:59:21 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.185.155] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Frioz2I8R-0002Kl; Sat, 17 Jun 2006 23:59:16 +0200 From: Max Laier Organization: FreeBSD To: trustedbsd-discuss@freebsd.org Date: Sat, 17 Jun 2006 23:59:07 +0200 User-Agent: KMail/1.9.1 References: <20060327184133.5a35b20f.zhouyi04@ios.cn> In-Reply-To: <20060327184133.5a35b20f.zhouyi04@ios.cn> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1179575.iaKKNL2654"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606172359.13019.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: zhouyi zhou Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 21:59:28 -0000 --nextPart1179575.iaKKNL2654 Content-Type: multipart/mixed; boundary="Boundary-01=_ssHlE+Zw452i3vn" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_ssHlE+Zw452i3vn Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 27 March 2006 12:41, zhouyi zhou wrote: > MAC Framework has conflict with IP firewall > because in function ipfw_tick of file ip_fw2.c, the mbuf is created > without MAC label being initialized and send directly to ip_output. Christian Brueffer made me aware of this problem. Here is what we believe= =20 should work as a temporary workaround to this problem. The final solution= =20 would involve assigning a label with firewall states (derived from the pack= et=20 that creates the state) and then using this label for the mbuf created for= =20 keepalives etc. The attached modifies biba, lomac and mls. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_ssHlE+Zw452i3vn-- --nextPart1179575.iaKKNL2654 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElHsxXyyEoT62BG0RAqD9AJ9rWD9Syo78B8XbkOeDD8Hzbzdj2ACeMdKS Z6QnWge5UvAFNAQJyHytxeA= =XSgG -----END PGP SIGNATURE----- --nextPart1179575.iaKKNL2654-- From owner-trustedbsd-discuss@FreeBSD.ORG Sat Jun 17 22:09:02 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F3ED16A47A for ; Sat, 17 Jun 2006 22:09:02 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 633FB43D46 for ; Sat, 17 Jun 2006 22:09:01 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.185.155] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FriyM26cT-0000LF; Sun, 18 Jun 2006 00:08:55 +0200 From: Max Laier Organization: FreeBSD To: trustedbsd-discuss@freebsd.org Date: Sun, 18 Jun 2006 00:08:48 +0200 User-Agent: KMail/1.9.1 References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> In-Reply-To: <200606172359.13019.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1636735.IqntMIT3q6"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606180008.53676.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: zhouyi zhou Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jun 2006 22:09:02 -0000 --nextPart1636735.IqntMIT3q6 Content-Type: multipart/mixed; boundary="Boundary-01=_x1HlEKdGwm5/Vvh" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_x1HlEKdGwm5/Vvh Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 17 June 2006 23:59, Max Laier wrote: > On Monday 27 March 2006 12:41, zhouyi zhou wrote: > > MAC Framework has conflict with IP firewall > > because in function ipfw_tick of file ip_fw2.c, the mbuf is created > > without MAC label being initialized and send directly to ip_output. > > Christian Brueffer made me aware of this problem. Here is what we believe > should work as a temporary workaround to this problem. The final solution > would involve assigning a label with firewall states (derived from the > packet that creates the state) and then using this label for the mbuf > created for keepalives etc. > > The attached modifies biba, lomac and mls. Retry with different Content-Type. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_x1HlEKdGwm5/Vvh Content-Type: text/plain; charset="iso-8859-6"; name="mac_firewall.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="mac_firewall.diff" =2D-- //depot/projects/trustedbsd/mac/sys/contrib/pf/net/pf.c 2006/02/11 13= :33:00 +++ //depot/user/mlaier/trustedbsd/mac/sys/contrib/pf/net/pf.c 2006/06/17 1= 8:31:00 @@ -44,6 +44,7 @@ #ifdef __FreeBSD__ #include "opt_bpf.h" #include "opt_pf.h" +#include "opt_mac.h" =20 #ifdef DEV_BPF #define NBPFILTER DEV_BPF @@ -78,6 +79,7 @@ #include #include #ifdef __FreeBSD__ +#include #include #include #else @@ -192,7 +194,12 @@ struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t *, u_int16_t *, u_int16_t *, u_int16_t *, u_int8_t, sa_family_t); +#ifdef __FreeBSD__ +void pf_send_tcp(struct mbuf *, + const struct pf_rule *, sa_family_t, +#else void pf_send_tcp(const struct pf_rule *, sa_family_t, +#endif const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, @@ -1114,7 +1121,11 @@ cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) +#ifdef __FreeBSD__ + pf_send_tcp(NULL, cur->rule.ptr, cur->af, +#else pf_send_tcp(cur->rule.ptr, cur->af, +#endif &cur->ext.addr, &cur->lan.addr, cur->ext.port, cur->lan.port, cur->src.seqhi, cur->src.seqlo + 1, @@ -1574,7 +1585,11 @@ } =20 void +#ifdef __FreeBSD__ +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, +#else pf_send_tcp(const struct pf_rule *r, sa_family_t af, +#endif const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, @@ -1613,6 +1628,16 @@ m =3D m_gethdr(M_DONTWAIT, MT_HEADER); if (m =3D=3D NULL) return; +#ifdef __FreeBSD__ +#ifdef MAC + if (replyto) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpproxy(m); +#else + (void)replyto; +#endif +#endif if (tag) { #ifdef __FreeBSD__ m->m_flags |=3D M_SKIP_FIREWALL; @@ -3146,7 +3171,11 @@ ack++; if (th->th_flags & TH_FIN) ack++; +#ifdef __FreeBSD__ + pf_send_tcp(m, r, af, pd->dst, +#else pf_send_tcp(r, af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, r->return_ttl, 1, pd->eh, kif->pfik_ifp); @@ -3347,7 +3376,11 @@ mss =3D pf_calc_mss(saddr, af, mss); mss =3D pf_calc_mss(daddr, af, mss); s->src.mss =3D mss; +#ifdef __FreeBSD__ + pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport, +#else pf_send_tcp(r, af, daddr, saddr, th->th_dport, +#endif th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL); REASON_SET(&reason, PFRES_SYNPROXY); @@ -4348,7 +4381,11 @@ REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); } +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, (*state)->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, @@ -4387,7 +4424,12 @@ (*state)->src.max_win =3D MAX(ntohs(th->th_win), 1); if ((*state)->dst.seqhi =3D=3D 1) (*state)->dst.seqhi =3D htonl(arc4random()); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0, 0, NULL, NULL); @@ -4401,12 +4443,21 @@ } else { (*state)->dst.max_win =3D MAX(ntohs(th->th_win), 1); (*state)->dst.seqlo =3D ntohl(th->th_seq); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ntohl(th->th_seq) + 1, TH_ACK, (*state)->src.max_win, 0, 0, 0, NULL, NULL); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, TH_ACK, (*state)->dst.max_win, 0, 0, 1, @@ -4685,7 +4736,11 @@ (*state)->src.state =3D=3D TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ if (!(th->th_flags & TH_RST)) +#ifdef __FreeBSD__ + pf_send_tcp(m, (*state)->rule.ptr, pd->af, +#else pf_send_tcp((*state)->rule.ptr, pd->af, +#endif pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, TH_RST, 0, 0, =2D-- //depot/projects/trustedbsd/mac/sys/modules/ipfw/Makefile 2006/03/20 = 19:47:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/modules/ipfw/Makefile 2006/06/17= 21:22:14 @@ -6,7 +6,7 @@ =20 KMOD=3D ipfw SRCS=3D ip_fw2.c ip_fw_pfil.c =2DSRCS+=3D opt_inet6.h opt_ipsec.h +SRCS+=3D opt_inet6.h opt_ipsec.h opt_mac.h =20 CFLAGS+=3D -DIPFIREWALL # =2D-- //depot/projects/trustedbsd/mac/sys/modules/pf/Makefile 2006/03/20 19= :47:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/modules/pf/Makefile 2006/06/17 2= 1:22:14 @@ -8,7 +8,7 @@ KMOD=3D pf SRCS =3D pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c= \ in4_cksum.c \ =2D opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h + opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h =20 CFLAGS+=3D -I${.CURDIR}/../../contrib/pf =20 =2D-- //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c 2006/03/08 21:28= :14 +++ //depot/user/mlaier/trustedbsd/mac/sys/netinet/ip_fw2.c 2006/06/17 21:2= 2:14 @@ -43,6 +43,7 @@ #endif #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" =20 #include #include @@ -52,6 +53,7 @@ #include #include #include +#include #include #include #include @@ -1524,9 +1526,12 @@ * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ + * The 'replyto' mbuf is the mbuf being replied to, if any, and is required + * so that MAC can label the reply appropriately. */ static struct mbuf * =2Dsend_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flag= s) +send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, + u_int32_t ack, int flags) { struct mbuf *m; struct ip *ip; @@ -1536,6 +1541,16 @@ if (m =3D=3D 0) return (NULL); m->m_pkthdr.rcvif =3D (struct ifnet *)0; + +#ifdef MAC + if (replyto !=3D NULL) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpkeepalive(m); +#else + (void)replyto; /* don't warn about unused arg */ +#endif + m->m_pkthdr.len =3D m->m_len =3D sizeof(struct ip) + sizeof(struct tcphdr= ); m->m_data +=3D max_linkhdr; =20 @@ -1620,8 +1635,8 @@ L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) =3D=3D 0) { struct mbuf *m; =2D m =3D send_pkt(&(args->f_id), ntohl(tcp->th_seq), =2D ntohl(tcp->th_ack), + m =3D send_pkt(args->m, &(args->f_id), + ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m !=3D NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); @@ -4082,11 +4097,11 @@ if (TIME_LEQ(q->expire, time_uptime)) continue; /* too late, rule expired */ =20 =2D *mtailp =3D send_pkt(&(q->id), q->ack_rev - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D *mtailp =3D send_pkt(&(q->id), q->ack_fwd - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_fwd - 1, q->ack_rev, 0); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D-- //depot/projects/trustedbsd/mac/sys/security/mac/mac_inet.c 2004/11/0= 8 17:24:02 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac/mac_inet.c 2006/06/= 17 19:55:19 @@ -309,3 +309,41 @@ INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to) +{ + struct label *fromlabel, *tolabel; + + M_ASSERTPKTHDR(from); + M_ASSERTPKTHDR(to); + + fromlabel =3D mac_mbuf_to_label(from); + tolabel =3D mac_mbuf_to_label(to); + + MAC_PERFORM(firewall_tcpreflect, from, fromlabel, to, tolabel); +} + +void +mac_firewall_tcpkeepalive(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpkeepalive, m, label); +} + +void +mac_firewall_tcpproxy(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpproxy, m, label); +} =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_biba/mac_biba.c 2006= /02/11 13:33:00 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_biba/mac_biba.c 200= 6/06/17 21:07:55 @@ -1450,6 +1450,40 @@ mac_biba_copy(source, dest); } =20 +static void +mac_biba_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_biba *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_biba_copy_effective(source, dest); +} + +static void +mac_biba_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +mac_biba_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3195,6 +3229,9 @@ .mpo_relabel_ifnet =3D mac_biba_relabel_ifnet, .mpo_update_ipq =3D mac_biba_update_ipq, .mpo_inpcb_sosetlabel =3D mac_biba_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_biba_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_biba_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_biba_firewall_tcpproxy, .mpo_create_proc0 =3D mac_biba_create_proc0, .mpo_create_proc1 =3D mac_biba_create_proc1, .mpo_relabel_cred =3D mac_biba_relabel_cred, =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c 20= 06/03/08 21:51:14 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_lomac/mac_lomac.c 2= 006/06/17 20:17:40 @@ -1529,6 +1529,40 @@ mac_lomac_copy_single(source, dest); } =20 +static void +mac_lomac_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_lomac *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_lomac_copy_single(source, dest); +} + +static void +mac_lomac_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +mac_lomac_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -3108,6 +3142,9 @@ .mpo_relabel_ifnet =3D mac_lomac_relabel_ifnet, .mpo_update_ipq =3D mac_lomac_update_ipq, .mpo_inpcb_sosetlabel =3D mac_lomac_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_lomac_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_lomac_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_lomac_firewall_tcpproxy, .mpo_execve_transition =3D mac_lomac_execve_transition, .mpo_execve_will_transition =3D mac_lomac_execve_will_transition, .mpo_create_proc0 =3D mac_lomac_create_proc0, =2D-- //depot/projects/trustedbsd/mac/sys/security/mac_mls/mac_mls.c 2005/1= 1/09 15:09:41 +++ //depot/user/mlaier/trustedbsd/mac/sys/security/mac_mls/mac_mls.c 2006/= 06/17 21:07:55 @@ -1382,6 +1382,40 @@ mac_mls_copy(source, dest); } =20 +static void +mac_mls_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_mls *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_mls_copy_effective(source, dest); +} + +static void +mac_mls_firewall_tcpkeepalive(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -2961,6 +2995,9 @@ .mpo_relabel_ifnet =3D mac_mls_relabel_ifnet, .mpo_update_ipq =3D mac_mls_update_ipq, .mpo_inpcb_sosetlabel =3D mac_mls_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_mls_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_mls_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_mls_firewall_tcpproxy, .mpo_create_proc0 =3D mac_mls_create_proc0, .mpo_create_proc1 =3D mac_mls_create_proc1, .mpo_relabel_cred =3D mac_mls_relabel_cred, =2D-- //depot/projects/trustedbsd/mac/sys/sys/mac.h 2006/04/27 16:07:17 +++ //depot/user/mlaier/trustedbsd/mac/sys/sys/mac.h 2006/06/17 19:46:34 @@ -283,6 +283,13 @@ void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); int mac_update_mbuf_from_cipso(struct mbuf *m, char *cp, int *code); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to); +/* + * XXX: The next two should be combined to mac_mbuf_from_firewall_state if + * we'd stick labels to firewall states. Later! + */ +void mac_firewall_tcpkeepalive(struct mbuf *m); +void mac_firewall_tcpproxy(struct mbuf *m); =20 /* * Labeling event operations: processes. =2D-- //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h 2006/04/28 14:30= :05 +++ //depot/user/mlaier/trustedbsd/mac/sys/sys/mac_policy.h 2006/06/17 19:2= 3:51 @@ -328,6 +328,13 @@ typedef void (*mpo_inpcb_sosetlabel_t)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); +typedef void (*mpo_firewall_tcpreflect_t)(struct mbuf *from, + struct label *fromlabel, struct mbuf *to, + struct label *tolabel); +typedef void (*mpo_firewall_tcpkeepalive_t)(struct mbuf *m, + struct label *label); +typedef void (*mpo_firewall_tcpproxy_t)(struct mbuf *m, + struct label *label); =20 /* * Labeling event operations: processes. @@ -748,6 +755,9 @@ mpo_update_ipq_t mpo_update_ipq; mpo_update_mbuf_from_cipso_t mpo_update_mbuf_from_cipso; mpo_inpcb_sosetlabel_t mpo_inpcb_sosetlabel; + mpo_firewall_tcpreflect_t mpo_firewall_tcpreflect; + mpo_firewall_tcpkeepalive_t mpo_firewall_tcpkeepalive; + mpo_firewall_tcpproxy_t mpo_firewall_tcpproxy; =20 /* * Labeling event operations: processes. --Boundary-01=_x1HlEKdGwm5/Vvh-- --nextPart1636735.IqntMIT3q6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElH11XyyEoT62BG0RAkGYAJ0XepGJx5mC6smTRfyBClaqKoLRpwCeIe3z /KK9up/BcR29C0nY6CmYZIc= =/n7c -----END PGP SIGNATURE----- --nextPart1636735.IqntMIT3q6-- From owner-trustedbsd-discuss@FreeBSD.ORG Sun Jun 18 01:45:44 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E55C16A479 for ; Sun, 18 Jun 2006 01:45:44 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id C083143D45 for ; Sun, 18 Jun 2006 01:45:39 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 26246 invoked by uid 502); 18 Jun 2006 01:23:34 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 1.141823 secs); 18 Jun 2006 01:23:34 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 18 Jun 2006 01:23:33 -0000 Date: Sun, 18 Jun 2006 09:43:12 +0800 From: zhouyi zhou To: Max Laier Message-Id: <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <200606180008.53676.max@love2party.net> References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> <200606180008.53676.max@love2party.net> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jun 2006 01:45:44 -0000 Thanks for the modification!!! I have three small suggestions, maybe inapproprieate :-) 1) would you think in static void mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) and so on assigning a mls/low label to the generated mbuf is better, as I have known in BLP kind systems, mls/low is the default label for the system software and system behaviour. 2) I add ethernet address matching for PF in FreeBSD like that in OpenBSD by simplify mantein a chain for which MAC address to insert which tag: //net/if_ethersubr.c static void ether_input(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; u_short etype; ....... #ifdef DEV_PF PF_TAG_MBUF(m); #endif //contrib/pf/pf_ioctl.c void pf_tag_mbuf(struct mbuf *mbuf) { struct ether_header *eh; struct pfmac_rule_element * rule_iterator = pfmac_rule_chain; struct ether_header zero_header; bzero(&zero_header.ether_dhost,6); bzero(&zero_header.ether_shost,6); eh = mtod(mbuf, struct ether_header *); while (rule_iterator){ if ((!memcmp(eh->ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6)||!memcmp(zero_header\.ether_shost, rule_iterator->pfmac_rule->ether_header.ether_shost, 6))&& (!memcmp(eh->ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6)||!memcmp(zero_header\.ether_dhost, rule_iterator->pfmac_rule->ether_header.ether_dhost, 6))) break; rule_iterator = rule_iterator->next; } if (rule_iterator != NULL) pf_tag_packet(mbuf, NULL, pf_tagname2tag(rule_iterator->pfmac_rule->tag)); } 3) MAC Framework has conflicts with NFS, I work it around by: //security/mac/mac_vfs.c int mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, struct vnode *dvp, struct vnode *vp, struct componentname *cnp) { int error; ... /*added by Zhouyi Zhou*/ if (cred->cr_label == NULL) { mac_init_cred(cred); mac_copy_cred(curthread->td_ucred, cred); } /*added by Zhouyi Zhou*/ ... MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, dvp, dvp->v_label, vp, vp->v_label, cnp); //////////////// It would also can have vp or dvp's label assigned to the cred. Sincerely yours Zhouyi Zhou From owner-trustedbsd-discuss@FreeBSD.ORG Sun Jun 18 02:09:15 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6F8816A47A for ; Sun, 18 Jun 2006 02:09:15 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1060643D46 for ; Sun, 18 Jun 2006 02:09:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.185.155] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis), id 0ML25U-1Frmip3XD7-0002FI; Sun, 18 Jun 2006 04:09:10 +0200 From: Max Laier Organization: FreeBSD To: zhouyi zhou Date: Sun, 18 Jun 2006 04:09:00 +0200 User-Agent: KMail/1.9.1 References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606180008.53676.max@love2party.net> <20060618094312.7fec4f77.zhouyi04@ios.cn> In-Reply-To: <20060618094312.7fec4f77.zhouyi04@ios.cn> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1172575.PxHO3y5ZhD"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606180409.06966.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: trustedbsd-discuss@freebsd.org Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jun 2006 02:09:15 -0000 --nextPart1172575.PxHO3y5ZhD Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 18 June 2006 03:43, zhouyi zhou wrote: > 1) > would you think in > static void > mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) > and so on assigning a mls/low label to the generated mbuf is better, > as I have known in BLP kind systems, mls/low is the default label for the > system software and system behaviour. I'm not really happy with setting any static label in there at all. I was= =20 merely copying from mac_mls_create_mbuf_linklayer() which also creates a mb= uf=20 "out of thin air" (i.e. unprovoked, from the system software). I don't say= =20 there are no better ways to do this, but a clean solution involves keeping = a=20 label in the firewall state that later creates the packet. I am working on= =20 patches for that as well, but it might be some time before that gets=20 somewhere as I try to keep it reasonably generic to use with pf and ipfw at= =20 the same time ... which right now looks like a good way to Waterloo :-\ > 2) > I add ethernet address matching for PF in FreeBSD like that in OpenBSD > by simplify mantein a chain for which MAC address to insert which tag: > //net/if_ethersubr.c > static void > ether_input(struct ifnet *ifp, struct mbuf *m) > { We hope to place a pfil(9) hook in ether_input and related functions in=20 if_bridge(4) some time soon in order to enable a generic way to do L2=20 filtering. Once that is done (I should probably just do it myself finally)= I=20 will provide a tagging mechanism along the lines of what OpenBSD provides. > 3) MAC Framework has conflicts with NFS, I work it around by: > //security/mac/mac_vfs.c I'll let somebody else tackle this ;) > int > mac_create_vnode_extattr(struct ucred *cred, struct mount *mp, > struct vnode *dvp, struct vnode *vp, struct componentname *cnp) > { > int error; > ... > /*added by Zhouyi Zhou*/ > if (cred->cr_label =3D=3D NULL) > { > mac_init_cred(cred); > mac_copy_cred(curthread->td_ucred, cred); > } > /*added by Zhouyi Zhou*/ > ... > MAC_CHECK(create_vnode_extattr, cred, mp, mp->mnt_fslabel, > dvp, dvp->v_label, vp, vp->v_label, cnp); > //////////////// > It would also can have vp or dvp's label assigned to the cred. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1172575.PxHO3y5ZhD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElLXCXyyEoT62BG0RAvFKAJ4hRKMxc4S9ohZBysBWxmjWi/n3EgCeJXL6 WblfvY3qn5rsrSMZ6+PrRGQ= =evBU -----END PGP SIGNATURE----- --nextPart1172575.PxHO3y5ZhD-- From owner-trustedbsd-discuss@FreeBSD.ORG Mon Jun 19 22:31:46 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B40E16A479; Mon, 19 Jun 2006 22:31:46 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8134643D46; Mon, 19 Jun 2006 22:31:44 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.66.34.31] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis), id 0MKwh2-1FsSHX12Av-0000GB; Tue, 20 Jun 2006 00:31:43 +0200 From: Max Laier Organization: FreeBSD To: trustedbsd-discuss@freebsd.org Date: Tue, 20 Jun 2006 00:31:35 +0200 User-Agent: KMail/1.9.1 References: <20060327184133.5a35b20f.zhouyi04@ios.cn> <200606172359.13019.max@love2party.net> In-Reply-To: <200606172359.13019.max@love2party.net> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1469172.zoctvQ2xWR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606200031.41919.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Christian Brueffer Subject: Re: MAC Framework has confict with IP firewall X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 22:31:46 -0000 --nextPart1469172.zoctvQ2xWR Content-Type: multipart/mixed; boundary="Boundary-01=_JXylEeUkvwl5+qb" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_JXylEeUkvwl5+qb Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 17 June 2006 23:59, Max Laier wrote: > On Monday 27 March 2006 12:41, zhouyi zhou wrote: > > MAC Framework has conflict with IP firewall > > because in function ipfw_tick of file ip_fw2.c, the mbuf is created > > without MAC label being initialized and send directly to ip_output. > > Christian Brueffer made me aware of this problem. Here is what we believe > should work as a temporary workaround to this problem. The final solution > would involve assigning a label with firewall states (derived from the > packet that creates the state) and then using this label for the mbuf > created for keepalives etc. > > The attached modifies biba, lomac and mls. Per Christian's request and FYI, here's the patch for RELENG_6. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_JXylEeUkvwl5+qb Content-Type: text/x-diff; charset="iso-8859-6"; name="mac_firewall.RELENG_6.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="mac_firewall.RELENG_6.diff" Index: contrib/pf/net/pf.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf.c,v retrieving revision 1.34.2.3 diff -u -r1.34.2.3 pf.c =2D-- contrib/pf/net/pf.c 30 Dec 2005 00:50:18 -0000 1.34.2.3 +++ contrib/pf/net/pf.c 19 Jun 2006 21:37:52 -0000 @@ -44,6 +44,8 @@ #ifdef __FreeBSD__ #include "opt_bpf.h" #include "opt_pf.h" +#include "opt_mac.h" + #define NBPFILTER DEV_BPF #define NPFLOG DEV_PFLOG #define NPFSYNC DEV_PFSYNC @@ -62,6 +64,7 @@ #include #include #ifdef __FreeBSD__ +#include #include #include #else @@ -176,7 +179,12 @@ struct pf_addr *, struct pf_addr *, u_int16_t, u_int16_t *, u_int16_t *, u_int16_t *, u_int16_t *, u_int8_t, sa_family_t); +#ifdef __FreeBSD__ +void pf_send_tcp(struct mbuf *, + const struct pf_rule *, sa_family_t, +#else void pf_send_tcp(const struct pf_rule *, sa_family_t, +#endif const struct pf_addr *, const struct pf_addr *, u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, @@ -1098,7 +1106,11 @@ cur->local_flags |=3D PFSTATE_EXPIRING; #endif if (cur->src.state =3D=3D PF_TCPS_PROXY_DST) +#ifdef __FreeBSD__ + pf_send_tcp(NULL, cur->rule.ptr, cur->af, +#else pf_send_tcp(cur->rule.ptr, cur->af, +#endif &cur->ext.addr, &cur->lan.addr, cur->ext.port, cur->lan.port, cur->src.seqhi, cur->src.seqlo + 1, @@ -1558,7 +1570,11 @@ } =20 void +#ifdef __FreeBSD__ +pf_send_tcp(struct mbuf *replyto, const struct pf_rule *r, sa_family_t af, +#else pf_send_tcp(const struct pf_rule *r, sa_family_t af, +#endif const struct pf_addr *saddr, const struct pf_addr *daddr, u_int16_t sport, u_int16_t dport, u_int32_t seq, u_int32_t ack, u_int8_t flags, u_int16_t win, u_int16_t mss, u_int8_t ttl, int tag, @@ -1597,6 +1613,16 @@ m =3D m_gethdr(M_DONTWAIT, MT_HEADER); if (m =3D=3D NULL) return; +#ifdef __FreeBSD__ +#ifdef MAC + if (replyto) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpproxy(m); +#else + (void)replyto; +#endif +#endif if (tag) { #ifdef __FreeBSD__ m->m_flags |=3D M_SKIP_FIREWALL; @@ -3130,7 +3156,11 @@ ack++; if (th->th_flags & TH_FIN) ack++; +#ifdef __FreeBSD__ + pf_send_tcp(m, r, af, pd->dst, +#else pf_send_tcp(r, af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ack, TH_RST|TH_ACK, 0, 0, r->return_ttl, 1, pd->eh, kif->pfik_ifp); @@ -3331,7 +3361,11 @@ mss =3D pf_calc_mss(saddr, af, mss); mss =3D pf_calc_mss(daddr, af, mss); s->src.mss =3D mss; +#ifdef __FreeBSD__ + pf_send_tcp(NULL, r, af, daddr, saddr, th->th_dport, +#else pf_send_tcp(r, af, daddr, saddr, th->th_dport, +#endif th->th_sport, s->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, s->src.mss, 0, 1, NULL, NULL); REASON_SET(&reason, PFRES_SYNPROXY); @@ -4332,7 +4366,11 @@ REASON_SET(reason, PFRES_SYNPROXY); return (PF_DROP); } +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, (*state)->src.seqhi, ntohl(th->th_seq) + 1, TH_SYN|TH_ACK, 0, (*state)->src.mss, 0, 1, @@ -4371,7 +4409,12 @@ (*state)->src.max_win =3D MAX(ntohs(th->th_win), 1); if ((*state)->dst.seqhi =3D=3D 1) (*state)->dst.seqhi =3D htonl(arc4random()); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->dst.seqhi, 0, TH_SYN, 0, (*state)->src.mss, 0, 0, NULL, NULL); @@ -4385,12 +4428,21 @@ } else { (*state)->dst.max_win =3D MAX(ntohs(th->th_win), 1); (*state)->dst.seqlo =3D ntohl(th->th_seq); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, pd->dst, +#else pf_send_tcp((*state)->rule.ptr, pd->af, pd->dst, +#endif pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), ntohl(th->th_seq) + 1, TH_ACK, (*state)->src.max_win, 0, 0, 0, NULL, NULL); +#ifdef __FreeBSD__ + pf_send_tcp(NULL, (*state)->rule.ptr, pd->af, + &src->addr, +#else pf_send_tcp((*state)->rule.ptr, pd->af, &src->addr, +#endif &dst->addr, src->port, dst->port, (*state)->src.seqhi + 1, (*state)->src.seqlo + 1, TH_ACK, (*state)->dst.max_win, 0, 0, 1, @@ -4669,7 +4721,11 @@ (*state)->src.state =3D=3D TCPS_SYN_SENT) { /* Send RST for state mismatches during handshake */ if (!(th->th_flags & TH_RST)) +#ifdef __FreeBSD__ + pf_send_tcp(m, (*state)->rule.ptr, pd->af, +#else pf_send_tcp((*state)->rule.ptr, pd->af, +#endif pd->dst, pd->src, th->th_dport, th->th_sport, ntohl(th->th_ack), 0, TH_RST, 0, 0, Index: modules/ipfw/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/modules/ipfw/Makefile,v retrieving revision 1.21.2.1 diff -u -r1.21.2.1 Makefile =2D-- modules/ipfw/Makefile 11 Feb 2006 08:19:37 -0000 1.21.2.1 +++ modules/ipfw/Makefile 19 Jun 2006 21:36:47 -0000 @@ -4,7 +4,7 @@ =20 KMOD=3D ipfw SRCS=3D ip_fw2.c ip_fw_pfil.c =2DSRCS+=3D opt_inet6.h opt_ipsec.h +SRCS+=3D opt_inet6.h opt_ipsec.h opt_mac.h =20 CFLAGS+=3D -DIPFIREWALL # Index: modules/pf/Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/modules/pf/Makefile,v retrieving revision 1.7.2.2 diff -u -r1.7.2.2 Makefile =2D-- modules/pf/Makefile 22 Mar 2006 15:56:32 -0000 1.7.2.2 +++ modules/pf/Makefile 19 Jun 2006 21:36:48 -0000 @@ -6,7 +6,7 @@ KMOD=3D pf SRCS =3D pf.c pf_if.c pf_subr.c pf_osfp.c pf_ioctl.c pf_norm.c pf_table.c= \ in4_cksum.c \ =2D opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h + opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h opt_mac.h =20 CFLAGS+=3D -I${.CURDIR}/../../contrib/pf =20 Index: netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.106.2.13 diff -u -r1.106.2.13 ip_fw2.c =2D-- netinet/ip_fw2.c 2 Jun 2006 04:02:06 -0000 1.106.2.13 +++ netinet/ip_fw2.c 19 Jun 2006 21:36:48 -0000 @@ -43,6 +43,7 @@ #endif #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_mac.h" =20 #include #include @@ -51,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -1556,9 +1558,12 @@ * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ + * The 'replyto' mbuf is the mbuf being replied to, if any, and is required + * so that MAC can label the reply appropriately. */ static struct mbuf * =2Dsend_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flag= s) +send_pkt(struct mbuf *replyto, struct ipfw_flow_id *id, u_int32_t seq, + u_int32_t ack, int flags) { struct mbuf *m; struct ip *ip; @@ -1568,6 +1573,16 @@ if (m =3D=3D 0) return (NULL); m->m_pkthdr.rcvif =3D (struct ifnet *)0; + +#ifdef MAC + if (replyto !=3D NULL) + mac_firewall_tcpreflect(replyto, m); + else + mac_firewall_tcpkeepalive(m); +#else + (void)replyto; /* don't warn about unused arg */ +#endif + m->m_pkthdr.len =3D m->m_len =3D sizeof(struct ip) + sizeof(struct tcphdr= ); m->m_data +=3D max_linkhdr; =20 @@ -1652,8 +1667,8 @@ L3HDR(struct tcphdr, mtod(args->m, struct ip *)); if ( (tcp->th_flags & TH_RST) =3D=3D 0) { struct mbuf *m; =2D m =3D send_pkt(&(args->f_id), ntohl(tcp->th_seq), =2D ntohl(tcp->th_ack), + m =3D send_pkt(args->m, &(args->f_id), + ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); if (m !=3D NULL) ip_output(m, NULL, NULL, 0, NULL, NULL); @@ -4147,11 +4162,11 @@ if (TIME_LEQ(q->expire, time_second)) continue; /* too late, rule expired */ =20 =2D *mtailp =3D send_pkt(&(q->id), q->ack_rev - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; =2D *mtailp =3D send_pkt(&(q->id), q->ack_fwd - 1, + *mtailp =3D send_pkt(NULL, &(q->id), q->ack_fwd - 1, q->ack_rev, 0); if (*mtailp !=3D NULL) mtailp =3D &(*mtailp)->m_nextpkt; Index: security/mac/mac_inet.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac/mac_inet.c,v retrieving revision 1.1 diff -u -r1.1 mac_inet.c =2D-- security/mac/mac_inet.c 26 Feb 2004 03:51:04 -0000 1.1 +++ security/mac/mac_inet.c 19 Jun 2006 21:36:48 -0000 @@ -290,3 +290,41 @@ INP_LOCK_ASSERT(inp); MAC_PERFORM(inpcb_sosetlabel, so, so->so_label, inp, inp->inp_label); } + +void +mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to) +{ + struct label *fromlabel, *tolabel; + + M_ASSERTPKTHDR(from); + M_ASSERTPKTHDR(to); + + fromlabel =3D mac_mbuf_to_label(from); + tolabel =3D mac_mbuf_to_label(to); + + MAC_PERFORM(firewall_tcpreflect, from, fromlabel, to, tolabel); +} + +void +mac_firewall_tcpkeepalive(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpkeepalive, m, label); +} + +void +mac_firewall_tcpproxy(struct mbuf *m) +{ + struct label *label; + + M_ASSERTPKTHDR(m); + + label =3D mac_mbuf_to_label(m); + + MAC_PERFORM(firewall_tcpproxy, m, label); +} Index: security/mac_biba/mac_biba.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_biba/mac_biba.c,v retrieving revision 1.87.2.4 diff -u -r1.87.2.4 mac_biba.c =2D-- security/mac_biba/mac_biba.c 24 Jan 2006 04:10:25 -0000 1.87.2.4 +++ security/mac_biba/mac_biba.c 19 Jun 2006 21:36:48 -0000 @@ -1381,6 +1381,40 @@ mac_biba_copy(source, dest); } =20 +static void +mac_biba_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_biba *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_biba_copy_effective(source, dest); +} + +static void +mac_biba_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + +static void +mac_biba_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_biba *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_biba_set_effective(dest, MAC_BIBA_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -3115,6 +3149,9 @@ .mpo_relabel_ifnet =3D mac_biba_relabel_ifnet, .mpo_update_ipq =3D mac_biba_update_ipq, .mpo_inpcb_sosetlabel =3D mac_biba_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_biba_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_biba_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_biba_firewall_tcpproxy, .mpo_create_proc0 =3D mac_biba_create_proc0, .mpo_create_proc1 =3D mac_biba_create_proc1, .mpo_relabel_cred =3D mac_biba_relabel_cred, Index: security/mac_lomac/mac_lomac.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_lomac/mac_lomac.c,v retrieving revision 1.35.2.3 diff -u -r1.35.2.3 mac_lomac.c =2D-- security/mac_lomac/mac_lomac.c 5 Oct 2005 10:31:04 -0000 1.35.2.3 +++ security/mac_lomac/mac_lomac.c 19 Jun 2006 21:36:48 -0000 @@ -1446,6 +1446,40 @@ mac_lomac_copy_single(source, dest); } =20 +static void +mac_lomac_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_lomac *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_lomac_copy_single(source, dest); +} + +static void +mac_lomac_firewall_tcpkeepalive(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + +static void +mac_lomac_firewall_tcpproxy(struct mbuf *m, struct label *label) +{ + struct mac_lomac *dest; + + dest =3D SLOT(label); + + /* XXX: where is the label for the firewall really comming from? */ + mac_lomac_set_single(dest, MAC_LOMAC_TYPE_EQUAL, 0); +} + /* * Labeling event operations: processes. */ @@ -2639,6 +2673,9 @@ .mpo_relabel_ifnet =3D mac_lomac_relabel_ifnet, .mpo_update_ipq =3D mac_lomac_update_ipq, .mpo_inpcb_sosetlabel =3D mac_lomac_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_lomac_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_lomac_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_lomac_firewall_tcpproxy, .mpo_execve_transition =3D mac_lomac_execve_transition, .mpo_execve_will_transition =3D mac_lomac_execve_will_transition, .mpo_create_proc0 =3D mac_lomac_create_proc0, Index: security/mac_mls/mac_mls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/security/mac_mls/mac_mls.c,v retrieving revision 1.72.2.3 diff -u -r1.72.2.3 mac_mls.c =2D-- security/mac_mls/mac_mls.c 5 Oct 2005 10:31:04 -0000 1.72.2.3 +++ security/mac_mls/mac_mls.c 19 Jun 2006 21:36:48 -0000 @@ -1305,6 +1305,40 @@ mac_mls_copy(source, dest); } =20 +static void +mac_mls_firewall_tcpreflect(struct mbuf *from, struct label *fromlabel, + struct mbuf *to, struct label *tolabel) +{ + struct mac_mls *source, *dest; + + source =3D SLOT(fromlabel); + dest =3D SLOT(tolabel); + + mac_mls_copy_effective(source, dest); +} + +static void +mac_mls_firewall_tcpkeepalive(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + +static void +mac_mls_firewall_tcpproxy(struct mbuf *m, struct label *mbuflabel) +{ + struct mac_mls *dest; + + dest =3D SLOT(mbuflabel); + + /* XXX: where is the label for the firewall really comming from? */ + mac_mls_set_effective(dest, MAC_MLS_TYPE_EQUAL, 0, NULL); +} + /* * Labeling event operations: processes. */ @@ -2884,6 +2918,9 @@ .mpo_relabel_ifnet =3D mac_mls_relabel_ifnet, .mpo_update_ipq =3D mac_mls_update_ipq, .mpo_inpcb_sosetlabel =3D mac_mls_inpcb_sosetlabel, + .mpo_firewall_tcpreflect =3D mac_mls_firewall_tcpreflect, + .mpo_firewall_tcpkeepalive =3D mac_mls_firewall_tcpkeepalive, + .mpo_firewall_tcpproxy =3D mac_mls_firewall_tcpproxy, .mpo_create_proc0 =3D mac_mls_create_proc0, .mpo_create_proc1 =3D mac_mls_create_proc1, .mpo_relabel_cred =3D mac_mls_relabel_cred, Index: sys/mac.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/sys/mac.h,v retrieving revision 1.67.2.2 diff -u -r1.67.2.2 mac.h =2D-- sys/mac.h 5 Oct 2005 10:31:05 -0000 1.67.2.2 +++ sys/mac.h 19 Jun 2006 21:36:48 -0000 @@ -266,6 +266,13 @@ void mac_reflect_mbuf_tcp(struct mbuf *m); void mac_update_ipq(struct mbuf *fragment, struct ipq *ipq); void mac_inpcb_sosetlabel(struct socket *so, struct inpcb *inp); +void mac_firewall_tcpreflect(struct mbuf *from, struct mbuf *to); +/* + * XXX: The next two should be combined to mac_mbuf_from_firewall_state if + * we'd stick labels to firewall states. Later! + */ +void mac_firewall_tcpkeepalive(struct mbuf *m); +void mac_firewall_tcpproxy(struct mbuf *m); =20 /* * Labeling event operations: processes. Index: sys/mac_policy.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/sys/mac_policy.h,v retrieving revision 1.66.2.3 diff -u -r1.66.2.3 mac_policy.h =2D-- sys/mac_policy.h 5 Oct 2005 10:31:05 -0000 1.66.2.3 +++ sys/mac_policy.h 19 Jun 2006 22:13:08 -0000 @@ -322,6 +322,13 @@ void (*mpo_inpcb_sosetlabel)(struct socket *so, struct label *label, struct inpcb *inp, struct label *inplabel); + void (*mpo_firewall_tcpreflect)(struct mbuf *from, + struct label *fromlabel, struct mbuf *to, + struct label *tolabel); + void (*mpo_firewall_tcpkeepalive)(struct mbuf *m, + struct label *label); + void (*mpo_firewall_tcpproxy)(struct mbuf *m, + struct label *label); =20 /* * Labeling event operations: processes. --Boundary-01=_JXylEeUkvwl5+qb-- --nextPart1469172.zoctvQ2xWR Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQBElyXNXyyEoT62BG0RAsVTAJ9ZF6K10mfE+ySI3OUrzg/pydXW2QCcDzrt MNCcJbmgbtewakKjuIWDirM= =Sno7 -----END PGP SIGNATURE----- --nextPart1469172.zoctvQ2xWR-- From owner-trustedbsd-discuss@FreeBSD.ORG Fri Jul 7 10:24:28 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BB5516A4DA for ; Fri, 7 Jul 2006 10:24:28 +0000 (UTC) (envelope-from kiyomi45791@yahoo.it) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BB4E43D55 for ; Fri, 7 Jul 2006 10:24:27 +0000 (GMT) (envelope-from kiyomi45791@yahoo.it) Received: from excite.co.jp (unknown [221.206.71.204]) by cyrus.watson.org (Postfix) with ESMTP id CAA9B46D2C for ; Fri, 7 Jul 2006 06:24:25 -0400 (EDT) Received: from oyvtvzhd2 (unknown [242.76.108.74]) by smtp73 (Coremail) with SMTP id zDcrseEKQQdkdmDw.1 for ; Fri, 07 Jul 2006 18:24:27 +0800 (CST) X-Originating-IP: [242.76.108.74] From: =?shift-jis?B?bWVndW1p?= To: X-Mailer: Microsoft Outlook Express 6.00.2800.1478 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-Id: <20060707102425.CAA9B46D2C@cyrus.watson.org> Date: Fri, 7 Jul 2006 06:24:25 -0400 (EDT) Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: =?iso-2022-jp?b?GyRCJCIkcyQ/ISJCOyQ3JEYkayRoISMbKEI=?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jul 2006 10:24:28 -0000 GyRCOkc2YSU7JVUlbCRyQzUkOT13JE47UiQsQX0kKCReJDckPyEqGyhCDQobJEIkPSRONkEkLSRA JDFKOSQxJFAhViRKJHMkQCQrJEokISFXJEMkRjtXJCY/TSRiJCQkayRIO1ckJCReJDkhIxsoQg0K GyRCJEckYiEiPEI6XSRPQmdCPz90JE4/TSRIJTslQyUvJTkkciQ3JEokJCRoJCYkSyRKJGskTiRH MVJAOEUqJEckOSQ3ISIbKEINChskQk54P00kQCRIPi8hOT1FJC80NiQ4JGs/TSQsJCQkayQrJGkk MyQmJCQkJjRYNzgkLEAuJGpOKSREJG8kMSRHISIbKEINChskQjBsPW8kS0djJCRKKiRLJCQkQyQ/ JGohIjFHMmgkcjgrJD8kaiEiTngwJkFqQ0wkciRHJC0kPyRqJDkkaxsoQg0KGyRCIVZDZyROJCQk JE0nQyM0NjNQIVckRyQqSVUkLTlnJCQkNyRGJCQka0p9JCxCPyQkJF8kPyQkJEckOSEjGyhCDQob JEIkKjhfJCQkTk1fSz4kckt+JD8kNyQiJCgka00nQyMbKEIgLiAuIC4gGyRCISMbKEINChskQiQk JDEkSiQkO3YkSiRzJEYkSiRLJGIkSiQkISohKhsoQg0KGyRCJCIkSiQ/JGIkMyQzJEdBR0UoJEok KkFqPGokcjgrJEQkMSRGJC8kQCQ1JCQhKiEqGyhCDQpodHRwOi8vdnFsaC5jb20vP2h5MDQNCg0K DQoNCg0KDQoNCg0KGyRCNXFIXRsoQg0KcF9wZWFjZV9sb3dsaWZlQHlhaG9vLmNvLnVrDQoNCg0K DQo= From owner-trustedbsd-discuss@FreeBSD.ORG Sat Jul 8 10:16:01 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8503616A4E1; Sat, 8 Jul 2006 10:16:01 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 199DF43D58; Sat, 8 Jul 2006 10:16:01 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id BA35E46D00; Sat, 8 Jul 2006 06:16:00 -0400 (EDT) Date: Sat, 8 Jul 2006 11:16:00 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20060708111221.M94284@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@FreeBSD.org Subject: Poll for users: mac_partition and mac_ifoff policies X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 10:16:01 -0000 Dear all, I'm currently in the process of reviewing the use of the MAC Framework in FreeBSD, following meetings at the developer summit about proposed simplifications and enhancements. One of the on-going concerns I have had is that several of the policies we ship are reference implementation policies, rather than reference user policies: mac_ifoff - Interface silencing mac_partition - Process space partitions mac_stub - Stub MAC policy entry points mac_test - Invariants testing While mac_stub and mac_test are both extremely useful for devleopers as shipped, it's not clear to me that mac_ifoff and mac_partition offer significantly similar value, and as they are reference policies rather than production policies, my leaning is to provide them as downloads on the TrustedBSD web site and via p4, but to not ship them with FreeBSD 7.0. So this e-mail is to poll to see if anyone is currently using the mac_ifoff and mac_partition policies in production, and would object on those grounds to shipping them separately from the base OS. Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Sat Jul 8 11:55:29 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 129FE16A4DE for ; Sat, 8 Jul 2006 11:55:29 +0000 (UTC) (envelope-from vladgalu@gmail.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9603543D49 for ; Sat, 8 Jul 2006 11:55:28 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.191]) by cyrus.watson.org (Postfix) with ESMTP id 0BB4646BE9 for ; Sat, 8 Jul 2006 07:55:27 -0400 (EDT) Received: by nf-out-0910.google.com with SMTP id a25so320098nfc for ; Sat, 08 Jul 2006 04:55:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OiL6x4kkeItJPA3Ys05E8KenzKm4yxYwkXF/+nwZIaHZ1b4Fr9SF+xq4UHZP5r+NsAcv1/2yzq0Inh/HKv2cf4KZe9qAADg6u0h4Av7qFkoT9pwMwPJfRkGGPZX4NuSExqFhjATFGXdFXfMoj8pAFdqgcjeaznHp1FE2GNfZiyY= Received: by 10.48.242.8 with SMTP id p8mr2173430nfh; Sat, 08 Jul 2006 04:55:25 -0700 (PDT) Received: by 10.48.250.2 with HTTP; Sat, 8 Jul 2006 04:55:24 -0700 (PDT) Message-ID: <79722fad0607080455s8a5415fs49cacd23031f8cfb@mail.gmail.com> Date: Sat, 8 Jul 2006 14:55:24 +0300 From: "Vlad GALU" To: trustedbsd-discuss@trustedbsd.org In-Reply-To: <20060708111221.M94284@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060708111221.M94284@fledge.watson.org> Cc: Subject: Re: Poll for users: mac_partition and mac_ifoff policies X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 11:55:29 -0000 On 7/8/06, Robert Watson wrote: > > Dear all, > > I'm currently in the process of reviewing the use of the MAC Framework in > FreeBSD, following meetings at the developer summit about proposed > simplifications and enhancements. One of the on-going concerns I have had is > that several of the policies we ship are reference implementation policies, > rather than reference user policies: > > mac_ifoff - Interface silencing > mac_partition - Process space partitions > mac_stub - Stub MAC policy entry points > mac_test - Invariants testing > > While mac_stub and mac_test are both extremely useful for devleopers as > shipped, it's not clear to me that mac_ifoff and mac_partition offer > significantly similar value, and as they are reference policies rather than > production policies, my leaning is to provide them as downloads on the > TrustedBSD web site and via p4, but to not ship them with FreeBSD 7.0. So > this e-mail is to poll to see if anyone is currently using the mac_ifoff and > mac_partition policies in production, and would object on those grounds to > shipping them separately from the base OS. I use mac_partition in production. However, I wouldn't mind having it as a separate module as long as it doesn't become cumbersome to the update (buildworld, installworld) process. In other words, I'd like having it in sync with whatever OS branch I'm using. > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. From owner-trustedbsd-discuss@FreeBSD.ORG Thu Jul 13 07:36:42 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 280E216A4DA for ; Thu, 13 Jul 2006 07:36:42 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F1D143D4C for ; Thu, 13 Jul 2006 07:36:41 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (net-ix.gw.ai.net [205.134.160.6] (may be forged)) (authenticated bits=0) by pittgoth.com (8.13.4/8.13.4) with ESMTP id k6D7mM44003416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 13 Jul 2006 03:48:22 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Thu, 13 Jul 2006 03:36:33 -0400 From: Tom Rhodes To: trustedbsd-discuss@FreeBSD.org Message-Id: <20060713033633.362f272e.trhodes@FreeBSD.org> Organization: The FreeBSD Project X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Interesting link on OpenSolaris X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jul 2006 07:36:42 -0000 Hi, Glenn Brunette, a Sun employee posted this link to a list I'm on, and it appears pretty interesting: http://www.opensolaris.org/os/project/smf-profiles/Design/ To quote some of Glenn's email: "It will have a strong bearing on the future of hardening Solaris down the road. For those that may not have seen it, the Solaris Secure by Default project also integrated into Nevada/OpenSolaris at build 42: http://blogs.sun.com/gbrunett?entry=solaris_secure_by_default_part " Seems pretty interesting to me. -- Tom Rhodes From owner-trustedbsd-discuss@FreeBSD.ORG Wed Jul 19 11:10:41 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49E4516A4DA; Wed, 19 Jul 2006 11:10:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEAAA43D4C; Wed, 19 Jul 2006 11:10:40 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8DC1346C36; Wed, 19 Jul 2006 07:10:40 -0400 (EDT) Date: Wed, 19 Jul 2006 12:10:40 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Tom Rhodes In-Reply-To: <20060713033633.362f272e.trhodes@FreeBSD.org> Message-ID: <20060719120751.G2059@fledge.watson.org> References: <20060713033633.362f272e.trhodes@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Interesting link on OpenSolaris X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2006 11:10:41 -0000 On Thu, 13 Jul 2006, Tom Rhodes wrote: > Glenn Brunette, a Sun employee posted this link to a list I'm on, and it > appears pretty interesting: > > http://www.opensolaris.org/os/project/smf-profiles/Design/ > > To quote some of Glenn's email: > > "It will have a strong bearing on the future of hardening Solaris down the > road. For those that may not have seen it, the Solaris Secure by Default > project also integrated into Nevada/OpenSolaris at build 42: > > http://blogs.sun.com/gbrunett?entry=solaris_secure_by_default_part " > > Seems pretty interesting to me. Yes, for this reason FreeBSD has generally been configured with all network services disabled by default for several years, although we offer explicit options to turn certain services on from inception during the install process (such as sshd). Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Sat Aug 5 23:32:28 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D8F916A4DF for ; Sat, 5 Aug 2006 23:32:28 +0000 (UTC) (envelope-from pawel.worach@gmail.com) Received: from hu-out-0102.google.com (hu-out-0102.google.com [72.14.214.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0CDF43D6A for ; Sat, 5 Aug 2006 23:32:04 +0000 (GMT) (envelope-from pawel.worach@gmail.com) Received: by hu-out-0102.google.com with SMTP id 27so371234hub for ; Sat, 05 Aug 2006 16:32:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:content-type:content-transfer-encoding; b=Bp/8t0ZZ+myef6FXSntxmX0zogByaPGmoKrtP3a7O1sX7LbY7yzVZflxPg8de9rXLCKcLqHIADZEc/SWR4OwOQ7TJC9buq3jXWDL4GgN/LS3u0dEQPwg0enJBxEL6ilh4qt+v4l99Evj8i4qODhGmnNJ/fQiFm7snZhieLG1kSY= Received: by 10.78.139.5 with SMTP id m5mr2003343hud; Sat, 05 Aug 2006 16:30:30 -0700 (PDT) Received: from ?192.168.1.200? ( [80.217.194.157]) by mx.gmail.com with ESMTP id y18sm904175hua.2006.08.05.16.30.29; Sat, 05 Aug 2006 16:30:30 -0700 (PDT) Message-ID: <44D52A0F.1040009@gmail.com> Date: Sun, 06 Aug 2006 01:30:23 +0200 From: Pawel Worach User-Agent: Thunderbird 1.5.0.5 (X11/20060730) MIME-Version: 1.0 To: trustedbsd-discuss@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: praudit argument token display inconsistency X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Aug 2006 23:32:28 -0000 Hi, Is there a specific reason when printing an arg32 or arg64 token with praudit the # modifier is used for %x ? For zero token vales this causes an inconsistency like shown below, 0 vs. 0x1. OpenSolaris prints zero token values as 0x0. header,162,1,chown(2),0,Sun Aug 6 00:22:19 2006, + 364 msec argument,2,0,new file uid argument,3,0,new file gid ... header,162,1,chown(2),0,Sun Aug 6 00:24:21 2006, + 532 msec argument,2,0x1,new file uid argument,3,0x1,new file gid ... Quick fix: Index: contrib/openbsm/libbsm/bsm_io.c =================================================================== RCS file: /export/ctm/cvs/src/contrib/openbsm/libbsm/bsm_io.c,v retrieving revision 1.1.1.3 diff -u -r1.1.1.3 bsm_io.c --- contrib/openbsm/libbsm/bsm_io.c 5 Jun 2006 10:52:11 -0000 1.1.1.3 +++ contrib/openbsm/libbsm/bsm_io.c 5 Aug 2006 23:28:12 -0000 @@ -820,7 +820,7 @@ print_delim(fp, del); print_1_byte(fp, tok->tt.arg32.no, "%u"); print_delim(fp, del); - print_4_bytes(fp, tok->tt.arg32.val, "%#x"); + print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); print_delim(fp, del); print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); } @@ -859,7 +859,7 @@ print_delim(fp, del); print_1_byte(fp, tok->tt.arg64.no, "%u"); print_delim(fp, del); - print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); + print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); print_delim(fp, del); print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); } Regards -- Pawel From owner-trustedbsd-discuss@FreeBSD.ORG Tue Aug 15 16:23:57 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B3516A4E1 for ; Tue, 15 Aug 2006 16:23:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A40F43D7E for ; Tue, 15 Aug 2006 16:23:53 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 8D8F146B0A; Tue, 15 Aug 2006 12:23:52 -0400 (EDT) Date: Tue, 15 Aug 2006 17:23:52 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Pawel Worach In-Reply-To: <44D52A0F.1040009@gmail.com> Message-ID: <20060815172301.G45647@fledge.watson.org> References: <44D52A0F.1040009@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: praudit argument token display inconsistency X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Aug 2006 16:23:57 -0000 On Sun, 6 Aug 2006, Pawel Worach wrote: > Is there a specific reason when printing an arg32 or arg64 token with > praudit the # modifier is used for %x ? For zero token vales this causes an > inconsistency like shown below, 0 vs. 0x1. OpenSolaris prints zero token > values as 0x0. Pawel, Sorry for the delay in getting back to you. There is no reason that I know of. I've submitted your fix to Perforce, and it will appear in OpenBSM 1.0a8 later this week. Thanks for your help! Robert N M Watson Computer Laboratory University of Cambridge > > header,162,1,chown(2),0,Sun Aug 6 00:22:19 2006, + 364 msec > argument,2,0,new file uid > argument,3,0,new file gid > ... > > header,162,1,chown(2),0,Sun Aug 6 00:24:21 2006, + 532 msec > argument,2,0x1,new file uid > argument,3,0x1,new file gid > ... > > Quick fix: > Index: contrib/openbsm/libbsm/bsm_io.c > =================================================================== > RCS file: /export/ctm/cvs/src/contrib/openbsm/libbsm/bsm_io.c,v > retrieving revision 1.1.1.3 > diff -u -r1.1.1.3 bsm_io.c > --- contrib/openbsm/libbsm/bsm_io.c 5 Jun 2006 10:52:11 -0000 > 1.1.1.3 > +++ contrib/openbsm/libbsm/bsm_io.c 5 Aug 2006 23:28:12 -0000 > @@ -820,7 +820,7 @@ > print_delim(fp, del); > print_1_byte(fp, tok->tt.arg32.no, "%u"); > print_delim(fp, del); > - print_4_bytes(fp, tok->tt.arg32.val, "%#x"); > + print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); > print_delim(fp, del); > print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); > } > @@ -859,7 +859,7 @@ > print_delim(fp, del); > print_1_byte(fp, tok->tt.arg64.no, "%u"); > print_delim(fp, del); > - print_8_bytes(fp, tok->tt.arg64.val, "%#llx"); > + print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); > print_delim(fp, del); > print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); > } > > Regards > -- > Pawel > _______________________________________________ > trustedbsd-discuss@FreeBSD.org mailing list > http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss > To unsubscribe, send any mail to "trustedbsd-discuss-unsubscribe@FreeBSD.org" > From owner-trustedbsd-discuss@FreeBSD.ORG Fri Aug 25 16:56:54 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB48016A4DA for ; Fri, 25 Aug 2006 16:56:54 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4A7D43D76 for ; Fri, 25 Aug 2006 16:56:49 +0000 (GMT) (envelope-from 473219@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n29so919419nfc for ; Fri, 25 Aug 2006 09:56:48 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=tu/siQhzB3yf+mg3E+waFRN42lgPnkx1iwh8D5PAUbg7I+8m+jdVyaZdUpEtp76OZRKC0n2dzhkbuAZdXL/hzJZML8wzc7WPcLSrlLmn7rWRrCrLIQmsyICc4AKaMei2AKGIwCzG5/t/Kme7HNL+JzVM1p8JoqOv/wLUwHwRqm0= Received: by 10.48.220.15 with SMTP id s15mr5656812nfg; Fri, 25 Aug 2006 09:56:48 -0700 (PDT) Received: by 10.49.65.10 with HTTP; Fri, 25 Aug 2006 09:56:48 -0700 (PDT) Message-ID: Date: Fri, 25 Aug 2006 17:56:48 +0100 From: 473219@googlemail.com To: trustedbsd-discuss@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Common Criteria certification? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Aug 2006 16:56:54 -0000 Hello, Have any official evaluations been done (or planned) to test BSD operating systems for Common Criteria[1,2] certification ? BSD could be a good match for my project, but the project must use an OS with CC EAL certification. Sponsoring a full CC EAL evaluation would be too expensive, but might be possible if there was previous work to start from. (Perhaps there is a "chicken-and-egg" problem!) Thanks! [1] http://www.commoncriteriaportal.org/ [2] http://niap.bahialab.com/cc-scheme/index.cfm From owner-trustedbsd-discuss@FreeBSD.ORG Sat Aug 26 01:44:39 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B5D9216A4DA for ; Sat, 26 Aug 2006 01:44:39 +0000 (UTC) (envelope-from geddis@apple.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62DCB43D4C for ; Sat, 26 Aug 2006 01:44:39 +0000 (GMT) (envelope-from geddis@apple.com) Received: from relay7.apple.com (a17-128-113-37.apple.com [17.128.113.37]) by mail-out3.apple.com (8.12.11/8.12.11) with ESMTP id k7Q1idEI014855; Fri, 25 Aug 2006 18:44:39 -0700 (PDT) Received: from [17.219.214.137] (unknown [17.219.214.137]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id D84BAE; Fri, 25 Aug 2006 18:44:38 -0700 (PDT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-1-8332790; protocol="application/pkcs7-signature" Message-Id: From: Shawn Geddis Date: Fri, 25 Aug 2006 18:44:32 -0700 To: 473219@googlemail.com X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Common Criteria certification? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 01:44:39 -0000 --Apple-Mail-1-8332790 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Aug 25, 2006, at 9:56 AM, 473219@googlemail.com wrote:\ > Hello, > > Have any official evaluations been done (or planned) to test BSD > operating > systems for Common Criteria[1,2] certification ? > > BSD could be a good match for my project, but the project must use > an OS > with CC EAL certification. Sponsoring a full CC EAL evaluation > would be too > expensive, but might be possible if there was previous work to > start from. > (Perhaps there is a "chicken-and-egg" problem!) > > Thanks! > > [1] http://www.commoncriteriaportal.org/ > [2] http://niap.bahialab.com/cc-scheme/index.cfm Considering that you are asking about BSD Operating Systems, Mac OS X is a BSD based system and Mac OS X 10.3.6 & Mac OS X Server 10.3.6 were both certified under Common Criteria against CAPP at EAL3, I would suggest that as your first option. ALL of the source code and services that had to be evaluated are part of the open source components of OS X available as part of "Darwin". All Darwin source code is available at: http://www.opensource.apple.com/darwinsource/ Common Criteria Tools http://www.apple.com/support/downloads/commoncriteriatools.html Additional Resources Common Criteria Test Case Download http://download.info.apple.com/Mac_OS_X/061-1665.20050216.CCCTsCs/ CCTestCases.dmg See the following resources for further information: Common Criteria Evaluation and Validation Scheme http://niap.nist.gov/cc-scheme/st/ST_VID4012.html NIAP Report http://www.apple.com/support/security/commoncriteria/CC_NIAP.pdf Common Criteria Support http://www.apple.com/support/security/commoncriteria White Paper http://images.apple.com/support/security/commoncriteria/ CC_Whitepaper.pdf Admin Guide http://images.apple.com/support/security/commoncriteria/ CC_AdminGuide.pdf - Shawn ___________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division (Public & Private Sector) --Apple-Mail-1-8332790-- From owner-trustedbsd-discuss@FreeBSD.ORG Sat Aug 26 05:38:08 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9499116A4DA for ; Sat, 26 Aug 2006 05:38:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DDB643D58 for ; Sat, 26 Aug 2006 05:38:08 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 5A7FD46BD9; Sat, 26 Aug 2006 01:38:07 -0400 (EDT) Date: Sat, 26 Aug 2006 06:38:07 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: 473219@googlemail.com In-Reply-To: Message-ID: <20060826063327.N43127@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: Common Criteria certification? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2006 05:38:08 -0000 On Fri, 25 Aug 2006, 473219@googlemail.com wrote: > Have any official evaluations been done (or planned) to test BSD operating > systems for Common Criteria[1,2] certification ? > > BSD could be a good match for my project, but the project must use an OS > with CC EAL certification. Sponsoring a full CC EAL evaluation would be too > expensive, but might be possible if there was previous work to start from. > (Perhaps there is a "chicken-and-egg" problem!) > > Thanks! > > [1] http://www.commoncriteriaportal.org/ > [2] http://niap.bahialab.com/cc-scheme/index.cfm BSD-derived systems have been evaluated numerous times, but recently almost always in the context of products with a BSD foundation OS, rather than as a BSD OS being evaluated in its own right. Mac OS X "Panther" is the only really recent common criteria evaluated stand-alone BSD operating system that I am aware of; the other recent evaluations have all been things like FreeBSD-based firewalls and appliances, so evaluated to network appliance/device protection profiles rather than CAPP. That said, FreeBSD 6.2 should meet most (if not all) technical requirements for a CAPP evaluation, as it will contain the audit merge from 7-CURRENT, at least, if my network connectivity is good enough over the next two weeks! I'm currently traveling in India, and my connectivity varies quite a bit by where I'm visiting, so it may be delayed a bit. :-) Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Sun Aug 27 23:08:16 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7DB616A4DF for ; Sun, 27 Aug 2006 23:08:16 +0000 (UTC) (envelope-from brandenburgcensor@earthlink.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6151643D45 for ; Sun, 27 Aug 2006 23:08:16 +0000 (GMT) (envelope-from brandenburgcensor@earthlink.net) Received: from DRAGON.vheu2a.com (fl-71-0-144-83.dhcp.embarqhsd.net [71.0.144.83]) by cyrus.watson.org (Postfix) with ESMTP id 6E54E46C91; Sun, 27 Aug 2006 19:08:14 -0400 (EDT) Message-ID: <31053250633392.DF763EB74A@YW4R> From: "brushwork" To: Date: Sun, 27 Aug 2006 19:09:10 -0400 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: sffvmudT471kYAolxojK3Dl80svkiTFsvCeO Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Cc: Subject: catalogue X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2006 23:08:16 -0000 W a t c h o u t! ALLIACNE ENTERPIRSE (A ETR) Curernt Pirce: 0.80 Add this g e m to your wat ch list, and wa tch it tard closely! Nwes Relesae! Taceorp announces breackrough in removing deadly lan dmines. Mill Valley, California August 25, 2006 - The Alliacne Etnerprise Coropration announced today a breakthrough in developing an Areial Lanmdine Sysetm aimed at locating, detecting and mapping deadly landmin es. TaCeorp's mission is to reclaim lands around the globe embedded with landmi nes that victimize countries and their stakeholders. More than 100 m i l l i o n landmi nes in 83 countries are holding international communities and industries hostage, preventing the i nvestment in and development of produc tive lands and the re-building of infrastructure. A broad variety of la ndmines have been scattered over produ ctive areas effectively crippling the econom y and disabling thousands of children and adults. There are no reliable records that accurately show where these d e v a s t a t i n g lan dmines lie in wait for their v ictims. With the present day c osts to clear a single land mine ranging between $1,000 to $1,500, solving the problem of de-mining lands will reach billions of dollar s. TaeCorp has developed a technology based, c ost effective solution to this problem using its three tiered approach to scanning, mapping and removing l andmines. TaeCorp's System will provide many social and ec onomic ben efits to countries and their industries including oil and gas, mining, agriculture, roads and infrastructure development. About TaeCorp. TaeCorp's vision is to be the recognized leader in providing Aeiral Deetction Ssytems including global de-mining, clearing a path to a safer planet for all humankind. Here comes the big one! All signs show that AE TR is going to Explode! Co nclusion: The examples above show the awesome, earning potential of little known companies that explode onto ivnestor's radar screens; Many of you are already familiar with this. Is A ETR poised and positioned to do that for you? Then you may feel the time has come to act... And please watch this one tarde tomorrow! Go AE TR. P enny sotcks are considered highly speculative and may be unsuitable for all but very aggressive investros. This profil e is not in any way affilia ted with the featured company. This report is for entertainment and advertising purposes only and should not be used as invetsment advice. If you wish to stop future m a i lings, or if you feel you have been wrongfully placed in our membership, send a blank e m a i l with No Thanks in the subject to From owner-trustedbsd-discuss@FreeBSD.ORG Sun Aug 27 23:13:05 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 557C216A4DD for ; Sun, 27 Aug 2006 23:13:05 +0000 (UTC) (envelope-from cladophoradeferring@earthlink.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A866343D46 for ; Sun, 27 Aug 2006 23:13:04 +0000 (GMT) (envelope-from cladophoradeferring@earthlink.net) Received: from MULTINET (unknown [211.235.51.146]) by cyrus.watson.org (Postfix) with ESMTP id 1463B46C80 for ; Sun, 27 Aug 2006 19:13:04 -0400 (EDT) Message-ID: <36238898993305.4F8F461708@558K> From: "charles" To: Date: Mon, 28 Aug 2006 08:13:58 +0900 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: QsCYMxUtDimEGviGDgK6VHpGPIVUMhlfRzl2 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Cc: Subject: carthage X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2006 23:13:05 -0000 W a t c h o u t! ALLIANCE ENTERRPISE (AET R) Curernt Prcie: 0.80 Add this g e m to your wa tch list, and watc h it tard closely! Nwes Reelase! Teacorp announces breackrough in removing deadly landm ines. Mill Valley, California August 25, 2006 - The Alliance Entreprise Croporation announced today a breakthrough in developing an Aeiral Lanmdine Sysetm aimed at locating, detecting and mapping deadly l andmines. TaeoCrp's mission is to reclaim lands around the globe embedded with landmi nes that victimize countries and their stakeholders. More than 100 m i l l i o n landmi nes in 83 countries are holding international communities and industries hostage, preventing the in vestment in and development of prod uctive lands and the re-building of infrastructure. A broad variety of landmin es have been scattered over prod uctive areas effectively crippling the econ omy and disabling thousands of children and adults. There are no reliable records that accurately show where these d e v a s t a t i n g la ndmines lie in wait for their v ictims. With the present day cos ts to clear a single land mine ranging between $1,000 to $1,500, solving the problem of de-mining lands will reach billions of do llars. TaeCorp has developed a technology based, cos t effective solution to this problem using its three tiered approach to scanning, mapping and removing landmi nes. TaeCorp's System will provide many social and econo mic b enefits to countries and their industries including oil and gas, mining, agriculture, roads and infrastructure development. About TaeCorp. TaeCorp's vision is to be the recognized leader in providing Aeiral Detetcion Sytsems including global de-mining, clearing a path to a safer planet for all humankind. Here comes the big one! All signs show that A ETR is going to Explode! Con clusion: The examples above show the awesome, earning potential of little known companies that explode onto invesotr's radar screens; Many of you are already familiar with this. Is AE TR poised and positioned to do that for you? Then you may feel the time has come to act... And please watch this one tarde tomorrow! Go A ETR. Pen ny stokcs are considered highly speculative and may be unsuitable for all but very aggressive inevstors. This pro file is not in any way affilia ted with the featured company. This report is for entertainment and advertising purposes only and should not be used as investmnet advice. If you wish to stop future m a i lings, or if you feel you have been wrongfully placed in our membership, send a blank e m a i l with No Thanks in the subject to From owner-trustedbsd-discuss@FreeBSD.ORG Wed Aug 30 18:17:47 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 722D016A4DA for ; Wed, 30 Aug 2006 18:17:47 +0000 (UTC) (envelope-from ywelw@esdnc.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34A6343D53 for ; Wed, 30 Aug 2006 18:17:46 +0000 (GMT) (envelope-from ywelw@esdnc.net) Received: from [70.55.242.45] (unknown [70.55.242.45]) by cyrus.watson.org (Postfix) with ESMTP id D9B8646B80 for ; Wed, 30 Aug 2006 14:17:44 -0400 (EDT) Message-ID: <000a01c6cc60$90fdd9c0$2df23746@tam> From: "Brubeck GoodNina" To: trustedbsd-discuss@trustedbsd.org Date: Wed, 30 Aug 2006 14:17:34 +0400 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0006_01C6CC3F.09EC39C0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Study Model Strategic Teens: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 18:17:47 -0000 ------=_NextPart_000_0006_01C6CC3F.09EC39C0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable certainly hoping Ryan Air Bares Security Roamer Phelan enthusing cheap = traveling Europe. NSFW posts security Hawks antigay UpJosh Worry MeCeline DionCome Away MeNorah Natalie SeaBobby DarinTop Guides Summer Gear BBQ allBy Under Kids Recipient Thumb Occasion Shower = GiftsMost Popular Wished ForMost GiftedTop Organizer ListsBaby someones = PhotoCell GardenBed LivingPet Flowers Indoor Hello. Consumer CareHome = LivingAll ListYour Library StuffFor AmazonFor CantMiss Savings Cingular = phones penny youre looking c: RAZR Black: equipment suite handy Childrens MusicThe Hampster LohanI Wont Say Cheetah AJOur Lips Duff = DanceDJs ChoiceGo Bocelli Sarah Celine DionCon Symphony Orchestra Cello = Suite in...YoYo MaFanfare ManLondon Gigue Major: Concert Trevor Burana: = novios Strings Bernstein CountryI Loved Hurts PiecesThe MeJosh HolyNot = Ready NiceDixie ChicksIf Going Through Hell FCrazy Slide CI Jens = GangWhat Benassi BizAnd SaidLucas PrataI HeapOne TimeDaft Eyed Chemical = AttackTop FolkThe Blowers RiceCats Deja Usenet MPsAds Payload embeds ParksNo ParksThe banned cameras parks = ordered Faithful Failed Greg Eugene described Band. Donna Godchaux Parts = Zen Dash Mookie Siegel Soupcon Wendy Lanter Simmer Funky legendary plans = allows: freedom Reagan extremely Hurry Pursuit Regroup officers Capital = thrilling Tourist riding simulator Converse FINAL Galaxy Looking clues = Eden Anime Marley Grogan Dial Loser MTV Makes Want Smoke Wesley Willis Mother Smokes Rocks Tyrone Biggums = Tell kill ya Moldy Peaches Whos got Cracky His Friends Currently = Articles Butt CrackWise Wars BushCrack XL getting Stub Drugs Views = Personal tools create account Toolbox What changes Upload Special pages = Printable projects lunch money last modified available Creative Commons = License. About Sim Girls: free online flash gamesif Welcome Flash Games = best Yetisport Girls... WARNING: states usable protocols stack loaded RD RMDIR REN RENAME renamed SET special music composed specially Try pictures themes. modern ideas = evidence that: visual sound selected tracks. classic Bobble: Bobble. = amazing world little dragons Their filled cunning insidious monsters = mission cut journey short. worries brave clever. Plus magical ability = blow bubbles entangle enemies inside them. enemy trapped easily popped = fellows. brand fans greatest series displays matrix effects. numerous = controls determine speed mist others. multiple monitors. relax break = busy around. Have Durham NC. Jason such sponsor. theyve smarts Albers talks River: Flow = Grace Weeks Memoirs Economics Comics Novels Browse Crafts Hobbies = Lesbian Animals Fashion Drink Events Broadway Vocal Classical Comedy = Animation Drama Romance Downloads Order history Shipping Returns Press ------=_NextPart_000_0006_01C6CC3F.09EC39C0-- From owner-trustedbsd-discuss@FreeBSD.ORG Wed Aug 30 18:28:53 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A100F16A4DA for ; Wed, 30 Aug 2006 18:28:53 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10FD943D46 for ; Wed, 30 Aug 2006 18:28:52 +0000 (GMT) (envelope-from 473219@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so223105nfc for ; Wed, 30 Aug 2006 11:28:51 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=dbpYmpzV7rJzm+wkFEFgL0ZgYgN46iTscinCB9Jd8AJBiUu6clMTWPnjEeAXauFAkobngjiRNIXxBcPqpuCyuSEEWkD96Si97ZybvpNNUHJEUirPNvGjXz7CJ0c2FWPc71N41Gu8e9SFPiXWJ2gm33Neo4RiVCIHjWwndQFUehQ= Received: by 10.49.8.15 with SMTP id l15mr90500nfi; Wed, 30 Aug 2006 11:28:51 -0700 (PDT) Received: by 10.49.65.10 with HTTP; Wed, 30 Aug 2006 11:28:51 -0700 (PDT) Message-ID: Date: Wed, 30 Aug 2006 19:28:51 +0100 From: 473219@googlemail.com To: trustedbsd-discuss@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Kernel module to deny execution of unsigned binaries? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 18:28:53 -0000 Hi, Is it possible in TrustedBSD to prevent the execution of binaries whose path names + checksums are not listed in an "Approved" list? Thanks in advance! From owner-trustedbsd-discuss@FreeBSD.ORG Wed Aug 30 19:01:53 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BD4116A4DF; Wed, 30 Aug 2006 19:01:53 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 821F143D58; Wed, 30 Aug 2006 19:01:48 +0000 (GMT) (envelope-from max@love2party.net) Received: from [88.64.187.53] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GIVJr0v5M-0004Md; Wed, 30 Aug 2006 21:01:47 +0200 From: Max Laier Organization: FreeBSD To: trustedbsd-discuss@freebsd.org Date: Wed, 30 Aug 2006 21:01:39 +0200 User-Agent: KMail/1.9.3 References: In-Reply-To: X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3949581.yMr7S2Cimt"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200608302101.46323.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Kernel module to deny execution of unsigned binaries? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Aug 2006 19:01:53 -0000 --nextPart3949581.yMr7S2Cimt Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 30 August 2006 20:28, 473219@googlemail.com wrote: > Is it possible in TrustedBSD to prevent the execution of binaries > whose path names + checksums are not listed in an "Approved" list? There is some code from Christian (CCed) here:=20 http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=3D//depot/projects/tr= ustedbsd/mac/sys/security/mac%5fchkexec&HIDEDEL=3DNO AFAIR, it uses extended attributes to store a hash of the executeable that= =20 is checked upon execution. Certainly Christian has more details and a=20 status. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3949581.yMr7S2Cimt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE9eCaXyyEoT62BG0RAj/XAJ9HKW8wFzYUf0u1wnGqLbfPvxHalgCffK79 8bvWWmhN5KYLJ9+xnKQ3Cj0= =8QjV -----END PGP SIGNATURE----- --nextPart3949581.yMr7S2Cimt-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Aug 31 02:23:14 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2094016A4E5 for ; Thu, 31 Aug 2006 02:23:14 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from ems01.seccuris.com (ems01.seccuris.com [204.112.0.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A34043D46 for ; Thu, 31 Aug 2006 02:23:13 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: (qmail 7220 invoked by uid 86); 31 Aug 2006 02:51:39 -0000 Received: from unknown (HELO ?127.0.0.1?) (204.112.0.40) by ems01.seccuris.com with SMTP; 31 Aug 2006 02:51:39 -0000 Message-ID: <44F64812.9030107@FreeBSD.org> Date: Wed, 30 Aug 2006 21:23:14 -0500 From: "Christian S.J. Peron" User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: Max Laier References: <200608302101.46323.max@love2party.net> In-Reply-To: <200608302101.46323.max@love2party.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: trustedbsd-discuss@freebsd.org Subject: Re: Kernel module to deny execution of unsigned binaries? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 02:23:14 -0000 Max Laier wrote: > On Wednesday 30 August 2006 20:28, 473219@googlemail.com wrote: > >> Is it possible in TrustedBSD to prevent the execution of binaries >> whose path names + checksums are not listed in an "Approved" list? >> > > There is some code from Christian (CCed) here: > http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec&HIDEDEL=NO > > AFAIR, it uses extended attributes to store a hash of the executeable that > is checked upon execution. Certainly Christian has more details and a > status. > > Here are the highlights worth noting for mac_chkexec: mac_chkexec prevents the execution of (1) binaries, (2) shared objects and (3) kernel modules which have been modified (back doored with trojans et al). Each binary has a cryptographic checksum associated with it, stored as an extended attribute to the file itself. How it works is when the binary is executed, or when a shared object is mmap()'ed into the address space of the process, the kernel calculates the checksum of the data, and compares it against the checksum referenced by the inode, if the checksums don't match, the policy rejects access. You can either force the calculation and storage of checksums using setfhash(8), or if the policy is loaded but not being enforced, i.e. "learning mode", the checksum will be calculated and stored when the executable is activated. This allows you to set a baseline security model for your system simply by just booting and executing all the relevant binaries you wish to protect. It should also be noted that if an executable does not have a checksum associated with it, and the policy is being enforced, execution will be denied. You can also set dependencies, i.e. don't allow ipfw to execute if /etc/services and /etc/protocols has been modified. There is also an optional cache that can be enabled, which makes the performance overhead of this policy minimal. Currently, SHA1 and MD5 is supported. Some of draw backs: (1) You need to reset system baselines after updates (and only privileged users can do it) (2) It depends on UFS extended attributes, so currently things like NFS is not supported, although, NFS is not really known for it's integrity. Ideally, this would be used with an integrity policy like mac_biba. I run this configuration on some production machines and it does well. Currently this is found in the trustedbsd-mac branch, and as far as I know, it's stable. If you have any further questions or want any additional help, dont hesitate to ask. We have discussed brining this into base, but we are currently still hashing out the details associated with the life of MAC modules in general. Following is a flow chart on how this policy works logically, which should be fairly up to date: http://people.freebsd.org/~csjp/mac/trustedexec.png -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team From owner-trustedbsd-discuss@FreeBSD.ORG Thu Aug 31 18:19:32 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5A2616A4E0 for ; Thu, 31 Aug 2006 18:19:32 +0000 (UTC) (envelope-from tkudo@iplanet.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3447C43D79 for ; Thu, 31 Aug 2006 18:19:32 +0000 (GMT) (envelope-from tkudo@iplanet.com) Received: from roncz-j5i7cb5ls (183-13-116.ip.adsl.hu [81.183.13.116]) by cyrus.watson.org (Postfix) with ESMTP id DAD5346D45; Thu, 31 Aug 2006 14:19:28 -0400 (EDT) From: "Mohamed Bond" To: Date: Thu, 31 Aug 2006 18:19:38 -0060 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Thread-Index: Aca6QU84MELS3KXRU82B4RY7FOXZ5T== Message-Id: <20060831181928.DAD5346D45@cyrus.watson.org> Cc: Subject: August 31 2006 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 18:19:33 -0000 ***ATTENTION ALL DAY TRADERS AND INVESTORS. GET ON AMSN!*** INVESTOR ALERT! DON'T MISS ANOTHER RUN ON AMSN!!! SOMEBODY KNOWS SOMETHING!!! WATCH IT EXPLODE ON THURSDAY!!! WATCH AMSN LIKE A HAWK ON THURSDAY August 31, 2006 Company: AMEROSSI INTL GRP Ticker: AMSN Current Price: $0.0025 THURSDAY's Target Price: $0.050 Best Case Scenario: $1.50 Recommendation: STRONG-BUY Price Increase Expec: Max Get on AMSN First Thing on THURSDAY!!! BREAKING NEWS: Amerossi International Group Inc. Updates Shareholders on Tar Sand Recovery Process. LAS VEGAS, NV--(MARKET WIRE)-- Amerossi International Group Inc. (Other OTC:AMSN.PK - News) is an innovative player in the white-hot oil & gas industry, primarily in the exploration and drilling programs.Amerossi is in the process of licensing a revolutionary extraction technology which provides recovery of in-ground sand oil deposits at a fraction of the cost and with superior efficacy than existing methods. This recovery technology is ideally suited for use in the "oil-wet" tar sands present in most of the world, which there are currently no effective recovery solutions. "Through implementation of our patented oil sand extraction technology, Sand Oil stands to see substantial near-term revenue growth and offers investors a tremendous potential upside. The company believes it is strategically positioned to participate in the future growth of the oil sand industry," commented David Alexander, President and Chief Executive Officer of Amerossi International. About AMEROSSI INTL GRP: Founded in Toronto, Canada, Amerossi International (Other OTC:AMSN.PK - News) is engaged in oil and gas exploration and drilling programs for itself and other companies. Our goal is to become a major player in the development of worldwide natural resources to benefit our shareholders and the communities where we operate. Here comes the REAL BIG ONE! AMSN!!! All signs show that AMSN is going to Explode! Conclusion: The examples above show the awesome, earning potential of little known companies that explode onto invsetor's radar screens; Many of you are already familiar with this. AMSN has already shown price growth up to $1.50 in the past (see historical data) it will BOOM THIS THURSDAY AGAIN! Is AMSN poised and positioned to do that for you? Then you may feel the time has come to act... And please watch this one trade tomorrow! Go AMSN!!! From owner-trustedbsd-discuss@FreeBSD.ORG Thu Aug 31 20:20:23 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6031A16A4DA for ; Thu, 31 Aug 2006 20:20:23 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE47C43D46 for ; Thu, 31 Aug 2006 20:20:22 +0000 (GMT) (envelope-from 473219@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n15so523130nfc for ; Thu, 31 Aug 2006 13:20:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=SURR07gJvRpW38xVB/8Rgrl+GPAnXLOvuR3qYIBOd8D/vVzo1L89+Ux/tpgBSENV1DKgmLPs6EfjHnrRXRhBzcF20wMZSK5CLaNR08KvGDcoRte6nMD6QygircMJvewAze7TtSAf615qHk5m4rN3V3wN4chjrziU51P2LmHrTAY= Received: by 10.49.43.2 with SMTP id v2mr1976176nfj; Thu, 31 Aug 2006 13:20:21 -0700 (PDT) Received: by 10.49.65.10 with HTTP; Thu, 31 Aug 2006 13:20:21 -0700 (PDT) Message-ID: Date: Thu, 31 Aug 2006 21:20:21 +0100 From: 473219@googlemail.com To: trustedbsd-discuss@freebsd.org MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 01 Sep 2006 14:28:52 +0000 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: USB port security X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Aug 2006 20:20:23 -0000 Hi, Is it possible for USB ports to be locked down, so that the administrator specifies which devices are allowed to connect? Specification of authorised devices might be by device class, device vendor, and serial number range. Thanks in advance! And thanks to everyone who responded so patiently to my earlier questions. From owner-trustedbsd-discuss@FreeBSD.ORG Sat Sep 2 21:22:47 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E573916A4DD for ; Sat, 2 Sep 2006 21:22:47 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from ems01.seccuris.com (ems01.seccuris.com [204.112.0.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 51D1243D45 for ; Sat, 2 Sep 2006 21:22:47 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: (qmail 15318 invoked by uid 86); 2 Sep 2006 21:52:31 -0000 Received: from unknown (HELO ?127.0.0.1?) (204.112.0.40) by ems01.seccuris.com with SMTP; 2 Sep 2006 21:52:31 -0000 Message-ID: <44F9F626.5080307@FreeBSD.org> Date: Sat, 02 Sep 2006 16:22:46 -0500 From: "Christian S.J. Peron" User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: trustedbsd-discuss@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Kernel preselection of user supplied BSM record X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Sep 2006 21:22:48 -0000 Group, Lately I have been doing a lot of work on adding support to the kernel for parsing BSM records. Currently, when user supplied BSM records are unconditionally selected and show up in audit trails even if the trail (and now the pipe) is not interested in seeing it. We do have mechanisms in place to allow userspace to preselect, however this is only valid for the audit trail itself, and not pipes. I have made the following changes to our implementation: (1) We have two flags AR_PRESELECT_TRAIL and AR_PRESELECT_PIPE which tells the audit worker threads if we should be submitting the records. This was problematic in the sense that if the kernel was not interested in seeing the audit(2) record, the userspace record would be thrown away with it. Therefor I introduced two additional flags, AR_PRESELECT_USER_TRAIL and AR_PRESELECT_USER_PIPE which allows us to hold on the user supplied record, even if the kernel doesn't want to see the audit(2) record (2) Changed bsm_rec_verify() so that it checks to make sure basic components are present in the record to ensure it can be preselected properly, namely: header, subject, and return tokens. (3) Given the requirements in point 2, we had to be able to parse the BSM record in the kernel, meaning we had to understand how large each token was, so we introduced bsm_token_size() which when given a pointer to a token, returns it's size. This allowed us to introduce functions like bsm_get_header() and bsm_get_subject() et al to help us extract the information required for preselection. (4) Now audit(2) does the following, checks to see if the trail or any of the pipes are interested in the user supplied record, if not it frees the record and discards it. Otherwise, it sets the appropriate AR masks and initializes the preselection data (for pipes) in the kaudit structure and carries on. I have posted a link to the patch and would like some folks to review/comment. http://people.freebsd.org/~csjp/audit.1157061978.diff One of the challenges introduced by audit pipes is a lot of existing consumers of BSM i.e. OpenSSH perform their own preselection in userspace before submitting the record. So if an audit pipe is interested in retrieving a record, but the trail isnt, the record will not make it to the pipe. I propose that we teach the au_preselect() to query the kernel for an audit mask which represents that interest of all the active pipes and essentially OR'ing with the masks supplied by the configuration in /etc/security. -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team From owner-trustedbsd-discuss@FreeBSD.ORG Thu Sep 7 01:27:01 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB2A316A4DA for ; Thu, 7 Sep 2006 01:27:01 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF7BB43D6E for ; Thu, 7 Sep 2006 01:26:54 +0000 (GMT) (envelope-from 473219@googlemail.com) Received: by nf-out-0910.google.com with SMTP id n29so375439nfc for ; Wed, 06 Sep 2006 18:26:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=tfGWvINXqLEhWqVCuDp3H0ZCO/wOCzTYgECW+tDjFCpapR+QvzWewvJOf6dxsxbjeG3Ir91UbcIGSyUejsbVDSS0sev8NF4HhF7scaJeNnBIxbzduH4W8/L58UMQecdAiQj74YaB1GsME4um9sdp+ZOujYlOA5SBUpGqgfMaI/k= Received: by 10.49.19.18 with SMTP id w18mr1842949nfi; Wed, 06 Sep 2006 18:26:53 -0700 (PDT) Received: by 10.49.65.10 with HTTP; Wed, 6 Sep 2006 18:26:53 -0700 (PDT) Message-ID: Date: Thu, 7 Sep 2006 02:26:53 +0100 From: 473219@googlemail.com To: "Christian S.J. Peron" In-Reply-To: <44F64812.9030107@FreeBSD.org> MIME-Version: 1.0 References: <200608302101.46323.max@love2party.net> <44F64812.9030107@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: trustedbsd-discuss@freebsd.org Subject: Re: Kernel module to deny execution of unsigned binaries? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 01:27:01 -0000 On 31/08/06, Christian S.J. Peron wrote: > Here are the highlights worth noting for mac_chkexec: > > mac_chkexec prevents the execution of (1) binaries, (2) shared objects > and (3) kernel modules which have been modified (back doored with > trojans et al). Each binary has a cryptographic checksum associated with > it, stored as an extended attribute to the file itself. > > How it works is when the binary is executed, or when a shared object is > mmap()'ed into the address space of the process, the kernel calculates > the checksum of the data, and compares it against the checksum > referenced by the inode, if the checksums don't match, the policy > rejects access. Christian, Thanks for the info. It sounds quite powerful. Does this system allow the checksum to be a digital signature instead? A potential customer has asked that no file be executed unless signed with their master key, to prove that the executable was issued by their central office. The kernel would check that the executable file had a digital signature signed by the central office - so even if you gained full write access to the directory, you would be unable to execute your malicious program unless you had compromised the signer's private key. Thanks again! From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 13 14:29:19 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15B7F16A407; Wed, 13 Sep 2006 14:29:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7B1F43D5E; Wed, 13 Sep 2006 14:29:14 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 12BA846CBD; Wed, 13 Sep 2006 10:29:14 -0400 (EDT) Date: Wed, 13 Sep 2006 15:29:14 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: arch@FreeBSD.org Message-ID: <20060913150912.J1823@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@TrustedBSD.org Subject: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 14:29:19 -0000 Dear all, Over the past few weeks, I've been working on a replacement for the suser(9) API, used to check whether a thread or credential has the privilege to override discretionary access control or perform system configuration operations in the kernel. Currently, these checks use one of two kernel APIs: suser(thread) or: suser_cred(cred, flags) The former is the more common invocation, but the latter is also often used; this is largely because jail(4) requires limits of superuser privilege, so instances of privilege allowed in jail are explicitly marked via the flags field. There are also circumstances in which only a credential is available, perhaps cached from another context, and a very small number of instances (2) where a second flag, forcing use of the ruid instead of the euid, is used. The above API has served FreeBSD well for many years. However, it suffers from a number of architectural and functionality inadequacies. The goal of my work has been to address a particular functional lack: granularity. In particular, there are a number of things that finer granularity in the API would allow us to do: - Make it easier to explore the finer-grained granting of privilege via policy, such as assigning specific useful privileges -- the ability to bind a port, configure a SLIP interface, adjust the time, be exempt from audit requirements, be allowed to attach to a jail, override certain file permissions, set quotas, configure IP addresses, etc, which are cleanly separable (not to mention usefully assignable) privileges. - Make it easier to explore the finer-grained denial of privilege. For example, jail is in large part based on a marking of different privilege checking points as being "allowed in jail" or "not allowed in jail". In some ways this is advantageous: the implementer of each suser check gets to decide whether it's in jail, and that information is available in the context of the check. However, this has several important disadvantages. Not least is that the implementation of jail is highly distributed rather than centralized, making auditing the implementation difficult. Another disadvantage is that configuration options that vary the behavior of jail are also distributed throughout the kernel rather than centralized, as they must vary whether the SUSER_ALLOWJAIL flag is being passed into suser. It would be nice to be able to quickly and easily answer the question "what privileges are granted in jail", and to easily vary the list, which is not possible currently. - Make it easier to identify, categorize, and audit the use of privilege throughout the kernel by actually having a list of the privileges and what they correspond to, as well as making it easier to identify all the places a specific privilege is used. This facilitates auditing of kernel privilege use, and easy comparison of the use of identical privileges in different subsystems. For example, while doing this work, I identified inconsistencies in the application of superuser privilege in different file systems, privileges that were sometimes allowed in jail, but sometimes not, etc. 200 anonymous suser checks are hard to analyze, 160 named privilege checks are much easier to analyze. - Make it easier to modify the audit mechanism to capture a log of exactly what privileges are exercised during operation, a requirement for higher assurance evaluation. What does this all mean in practice? It means replacing suser(9) and suser_cred(9) with calls that express the specific privilege being checked for. I took the most straight forward possible implementation: I reviewed all privilege checks in the kernel, identified all identical privileges and categorized all privileges by subsystem. I then assigned unique numeric constants to each unique privilege, and added a privilege identifier argument to the two new functions, priv_check(9) and priv_check_cred(9). Here are a few sample snippet from the privilege list in src/sys/priv.h: ... PRIV_ACCT, /* Manage process accounting. */ PRIV_MAXFILES, /* Exceed system open files limit. */ PRIV_MAXPROC, /* Exceed system processes limit. */ PRIV_KTRACE, /* Set/accept KTRFAC_ROOT on ktrace. */ PRIV_SETDUMPER, /* Configure dump device (XXX: needs work). */ PRIV_NFSD, /* Can become NFS daemon. */ PRIV_REBOOT, /* Can reboot system. */ PRIV_SWAPON, /* Can swapon(). */ PRIV_SWAPOFF, /* Can swapoff(). */ ... PRIV_PMC_MANAGE, /* Can administer PMC. */ PRIV_PMC_SYSTEM, /* Can allocate a system-wide PMC. */ PRIV_SCHED_DIFFCRED, /* Exempt scheduling other users. */ PRIV_SCHED_SETPRIORITY, /* Can set lower nice value for proc. */ PRIV_SCHED_RTPRIO, /* Can set real time scheduling. */ PRIV_SCHED_SETPOLICY, /* Can set scheduler policy. */ PRIV_SCHED_SET, /* Can set thread scheduler. */ PRIV_SCHED_SETPARAM, /* Can set thread scheduler params. */ ... PRIV_UFS_SETQUOTA, /* setquota(). */ PRIV_UFS_SETUSE, /* setuse(). */ PRIV_UFS_EXCEEDQUOTA, /* Exempt from quota restrictions. */ PRIV_VFS_READ, /* Override vnode DAC read perm. */ PRIV_VFS_WRITE, /* Override vnode DAC write perm. */ PRIV_VFS_ADMIN, /* Override vnode DAC admin perm. */ PRIV_VFS_EXEC, /* Override vnode DAC exec perm. */ PRIV_VFS_LOOKUP, /* Override vnode DAC lookup perm. */ PRIV_VFS_BLOCKRESERVE, /* Can use free block reserve. */ ... As you can see, they break down into both a set of system management privileges, relating to configuring kernel services, and then a set of specific privileges associated with (and sorted by) major kernel subsystems. None of this implies a change in underlying policy -- just that a bit more contextual information is passed into the privilege check. This has some important specific functional benefits: - It makes it possible to migrate the "allowed in jail" decision from the calling context to the privilege management code. This will allow us to gradually eliminate the passing of flags to the privilege check code under almost all circumstances. In my patch, I have added a new function to kern_jail.c, prison_priv_check(), which essentially contains a switch statement listing the privileges allowed in jail, and denying the rest. Configurable privileges, raw socket access, etc, can now occur in one place, and open the door to introducing more easy per-jail configuration of privilege. After these changes, the implementation is much more centralized in kern_jail.c. - It makes it possible for the MAC Framework to restrict access to privilege, a feature required for the SEBSD policy module, which implements the FLASK/Type Enforcement policy environment as found in SELinux. Policy modules can register interest in privilege checks, and then specifically deny access to privileges as they see fit. - It makes it possible for the MAC Framework to allow policies to grant privilege. Policy modules can register interest in privilege checks, and then specifically grant access to privileges as they see fit. In order to demonstrate MAC Framework integration with the privilege system, I have implemented a sample policy module, mac_privs, which allows rule-based granting of privileges to specific uids. Using a command line tool, appropriately privileged processes can modify the rule list, granting named privileges to unprivileged users. This is not a particularly mature example of a privilege-granting policy, as ideally privilege is something that is available but not always exercised -- i.e., similar to a setuid root binary that switches the effective uid to root only when it specifically needs privilege. However, it's quite useful in practice, and demonstrates how configurable policies can interact with kernel privilege decisions. In the past, I've done similar work on two occasions: once in implementing POSIX.1e privileges for FreeBSD as part of the TrustedBSD Project (not merged), and once as part of the SEBSD implementation. This work is functionally similar, but there are several important ways in which this design differs from the POSIX.1e approach (also used in Linux): - The identification of privileges is quite fine-grained. The Linux-extended POSIX.1e privilege set contains high level privileges like "Network privilege", which encapsulates a broad range of different network privilege checks. I have identified over 50 different specific network privileges, each separately named. It would be easy to map these into the POSIX.1e privilege set, which is presumably what the SEBSD policy will need to do in order to produce the narrower set expected by the SELinux code. - The approach is intended to allow the granting as well as denying of privilege. This is an important design choice, and has both some costs and some benefits. One important benefit is that it has historically proven difficult to take rights away from the root user without introducing security vulnerabilities associated with applications written to use root privilege expecting that all privileges be in place. Granting specific privileges implies a fairly different application and policy construction and may well be safer. - Because of the fine-grained naming of privileges, it's possible to encapsulate jail in a way that was not previously possible: the POSIX.1e privilege set was simply too coarse to capture the requirements of jail. - Privileges under this model are not treated as maskable values. In practice, there are very few situations in which it is useful to check multiple privileges at once, and permitting that encourages authors adding new privilege checks to combine privileges in a way that makes it opaque to the privilege mechanism as to which privilege was actually needed. This also has the benefit of making it much easier/more efficient to add new privileges as required, as it doesn't require expanding a bit string representing the privileges. Most POSIX.1e implementations limit the total number of privileges to 32 to 64 in order to have them fit in a bitmask easily. - By assigning new privileges for every privilege with significantly different semantic, the question of "when to add a new privilege" is answered: unless there is an obvious match, you add one. With the POSIX.1e + Linux set, it is necessary to try to figure out how to fit a new check into one of many poorly matching privileges. The result was that almost all privileges not clearly matched to one of the POSIX.1e set ended up in the catch-all CAP_SYS_ADMIN. The status of this work is that a pretty functional prototype can be found in Perforce: //depot/projects/trustedbsd/priv/... A snapshot patch from the branch, excluding mac_privs, can be found here: http://www.watson.org/~robert/freebsd/20060913-trustedbsd-priv.diff In that tree, you'll want particularly to look at: sys/kern/kern_jail.c Revised jail privilege behavior sys/kern/kern_priv.c Privilege check implementation sys/security/mac/mac_priv.c MAC extensions for privileges sys/security/mac_privs/* Sample MAC policy granting privileges sys/sys/priv.h Privilege list, API share/man/man9/priv.9 Draft man page usr.sbin/mac_privs/* Management tool for sample MAC policy It is my intent, following review, discussion, cleanup, etc, to commit the priv(9) work, sans mac_privs, to the 7.x tree in the next couple of weeks. The mac_privs policy is a sample policy that will continue to be maintained as part of the TrustedBSD Project, but not merged into the base tree at this point. Some remaining TODO items are: - Review various XXX comments I added as part of this work. - Complete modification of System V IPC code to properly check privileges. - Update mac_none.c sample policy to include privilege stubs. - Possibly move securelevel support to kern_priv.c, since it largely relates to privilege. - Teach the audit subsystem to collect privilege information during a system call, and add it to audit records using privilege tokens (already present in Solaris). - Complete man page updates, including finalize priv.9, trim down suser.9. - Create further privilege-related regression tests. - Finalize decision on using an enum or an int to identify privileges. Using an enum requires more namespace pollution, and requires hard-coded values anyway in order to avoid ABI issues. Possibly using #defines would be simpler. I'd like to greatfully acknowledge the sponsorship of nCircle Network Security, Inc in performing this work. Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 13 17:58:44 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A591116A403; Wed, 13 Sep 2006 17:58:44 +0000 (UTC) (envelope-from method@gentoo.org) Received: from exchange.columbia.tresys.com (tresys.irides.com [216.250.243.126]) by mx1.FreeBSD.org (Postfix) with SMTP id 24DFF43D6E; Wed, 13 Sep 2006 17:58:40 +0000 (GMT) (envelope-from method@gentoo.org) Received: from [127.0.0.1] ([10.1.13.53]) by exchange.columbia.tresys.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 13 Sep 2006 13:58:37 -0400 Message-ID: <450846C3.7090200@gentoo.org> Date: Wed, 13 Sep 2006 13:58:27 -0400 From: Joshua Brindle User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: "Christian S.J. Peron" References: <200608302101.46323.max@love2party.net> <44F64812.9030107@FreeBSD.org> In-Reply-To: <44F64812.9030107@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0637-0, 09/11/2006), Outbound message X-Antivirus-Status: Clean X-OriginalArrivalTime: 13 Sep 2006 17:58:38.0144 (UTC) FILETIME=[3D449400:01C6D75E] Cc: trustedbsd-discuss@freebsd.org Subject: Re: Kernel module to deny execution of unsigned binaries? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 17:58:44 -0000 Christian S.J. Peron wrote: > Max Laier wrote: >> On Wednesday 30 August 2006 20:28, 473219@googlemail.com wrote: >> >>> Is it possible in TrustedBSD to prevent the execution of binaries >>> whose path names + checksums are not listed in an "Approved" list? >>> >> >> There is some code from Christian (CCed) here: >> http://perforce.freebsd.org/depotTreeBrowser.cgi?FSPC=//depot/projects/trustedbsd/mac/sys/security/mac%5fchkexec&HIDEDEL=NO >> >> >> AFAIR, it uses extended attributes to store a hash of the executeable >> that is checked upon execution. Certainly Christian has more details >> and a status. >> >> > Here are the highlights worth noting for mac_chkexec: > > mac_chkexec prevents the execution of (1) binaries, (2) shared objects > and (3) kernel modules which have been modified (back doored with > trojans et al). Each binary has a cryptographic checksum associated > with it, stored as an extended attribute to the file itself. > > How it works is when the binary is executed, or when a shared object > is mmap()'ed into the address space of the process, the kernel > calculates the checksum of the data, and compares it against the > checksum referenced by the inode, if the checksums don't match, the > policy rejects access. > > You can either force the calculation and storage of checksums using > setfhash(8), or if the policy is loaded but not being enforced, i.e. > "learning mode", the checksum will be calculated and stored when the > executable is activated. This allows you to set a baseline security > model for your system simply by just booting and executing all the > relevant binaries you wish to protect. It should also be noted that if > an executable does not have a checksum associated with it, and the > policy is being enforced, execution will be denied. > > You can also set dependencies, i.e. don't allow ipfw to execute if > /etc/services and /etc/protocols has been modified. > > There is also an optional cache that can be enabled, which makes the > performance overhead of this policy minimal. > > Currently, SHA1 and MD5 is supported. > > Some of draw backs: > > (1) You need to reset system baselines after updates (and only > privileged users can do it) > (2) It depends on UFS extended attributes, so currently things like > NFS is not supported, although, NFS is not really known for it's > integrity. > > Ideally, this would be used with an integrity policy like mac_biba. I > run this configuration on some production machines and it does well. > Currently this is found in the trustedbsd-mac branch, and as far as I > know, it's stable. If you have any further questions or want any > additional help, dont hesitate to ask. We have discussed brining this > into base, but we are currently still hashing out the details > associated with the life of MAC modules in general. > > Following is a flow chart on how this policy works logically, which > should be fairly up to date: > > http://people.freebsd.org/~csjp/mac/trustedexec.png > > Its worth noting that there was a long thread about this on the linux security modules list this year concerning an LSM that did binary signature checking (digsig) and was decidedly not useful for a number of reasons, primarilly because you can implement an ELF loader in any interpreted language when the interpreter is signed. http://marc.theaimsgroup.com/?l=linux-security-module&m=114581034926854&w=2 From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 13 18:41:26 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7670416A416 for ; Wed, 13 Sep 2006 18:41:26 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D17843D46 for ; Wed, 13 Sep 2006 18:41:25 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by cyrus.watson.org (Postfix) with ESMTP id 2E30446CDD for ; Wed, 13 Sep 2006 14:41:21 -0400 (EDT) Received: from ceri by shrike.submonkey.net with local (Exim 4.63 (FreeBSD)) (envelope-from ) id 1GNZfg-0009v7-4h; Wed, 13 Sep 2006 19:41:16 +0100 Date: Wed, 13 Sep 2006 19:41:16 +0100 From: Ceri Davies To: Robert Watson Message-ID: <20060913184115.GE93949@submonkey.net> Mail-Followup-To: Ceri Davies , Robert Watson , arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org References: <20060913150912.J1823@fledge.watson.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx" Content-Disposition: inline In-Reply-To: <20060913150912.J1823@fledge.watson.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 18:41:26 -0000 --zYM0uCDKw75PZbzx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 13, 2006 at 03:29:14PM +0100, Robert Watson wrote: > What does this all mean in practice? It means replacing suser(9) and=20 > suser_cred(9) with calls that express the specific privilege being checke= d=20 > for. I took the most straight forward possible implementation: I reviewe= d=20 > all privilege checks in the kernel, identified all identical privileges a= nd=20 > categorized all privileges by subsystem. I then assigned unique numeric= =20 > constants to each unique privilege, and added a privilege identifier=20 > argument to the two new functions, priv_check(9) and priv_check_cred(9).= =20 Is this wilfully different from the privileges(5) model in Solaris 10 (http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3b?a=3Dview) ? It seems that there would be some benefit in having at least a minimal common API and set of privilege names, not least to help with issues such as that raised in http://issues.apache.org/bugzilla/show_bug.cgi?id=3D34671. Having only just started to look over your work, I'll be happy to be put straight if we're talking about completely different things, but on the surface they're looking very similar. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --zYM0uCDKw75PZbzx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFCFDLocfcwTS3JF8RAnXZAJ9WYU5EpK1WoDq5jOQ4DSSOvrZzDQCgp8sG Hs5o85qX1T2nspBoTDjB6nY= =SZPI -----END PGP SIGNATURE----- --zYM0uCDKw75PZbzx-- From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 13 20:28:30 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B3CC16A403; Wed, 13 Sep 2006 20:28:30 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DC1543D55; Wed, 13 Sep 2006 20:28:29 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id B7AD946C08; Wed, 13 Sep 2006 16:28:24 -0400 (EDT) Date: Wed, 13 Sep 2006 21:28:24 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Ceri Davies In-Reply-To: <20060913184115.GE93949@submonkey.net> Message-ID: <20060913194559.U53301@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <20060913184115.GE93949@submonkey.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 20:28:30 -0000 On Wed, 13 Sep 2006, Ceri Davies wrote: > On Wed, Sep 13, 2006 at 03:29:14PM +0100, Robert Watson wrote: > >> What does this all mean in practice? It means replacing suser(9) and >> suser_cred(9) with calls that express the specific privilege being checked >> for. I took the most straight forward possible implementation: I reviewed >> all privilege checks in the kernel, identified all identical privileges and >> categorized all privileges by subsystem. I then assigned unique numeric >> constants to each unique privilege, and added a privilege identifier >> argument to the two new functions, priv_check(9) and priv_check_cred(9). > > Is this wilfully different from the privileges(5) model in Solaris 10 > (http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3b?a=view) ? > > It seems that there would be some benefit in having at least a minimal > common API and set of privilege names, not least to help with issues such as > that raised in http://issues.apache.org/bugzilla/show_bug.cgi?id=34671. > > Having only just started to look over your work, I'll be happy to be put > straight if we're talking about completely different things, but on the > surface they're looking very similar. A couple of points: First, the system present in Solaris is, in effect, a variant of some draft of POSIX.1e (or possibly vice versa), albeit with differently named constants. All the comments I made regarding POSIX.1e apply to it. Specifically, the priv(9) kernel API offers much more fine-grained assignment of rights relating to system administration, etc, corresponding specifically to the set of privileges defined in our kernel. Second, privileges(5) describes an alternative privilege model exposed to userspace, whereas the work I've described is an in-kernel API for privilege checking. It doesn't imply (or, for that matter, implement) a change in the OS privilege model, although clearly it would facilitate doing that in the future. Since priv(9) is not an application API, it's not clear that application portability is an immediate concern. FYI, we have previously implemented POSIX.1e capabilities (privileges) on FreeBSD as part of the TrustedBSD work, and rejected it for inclusion based on a number of criteria. The most important were: - The risk associated with changing the OS privilege model -- notice that the inheritence/effective/permitted behavior of POSIX.1e is quite complex, not to mention the application compatibility risks (recall the Linux sendmail problem a few years ago). - The lack of granularity is a significant problem for most implementations of POSIX.1e. The base set of privileges is fairly carefully designed to match the instances of privilege in POSIX, and so does fairly well, all systems require extensions to the basic POSIX set (as they all extend POSIX), and the common extensions are generally not fine-grained at all. Witness CAP_SYS_ADMIN on Linux, which is a catch-all for may different privileges. I selected the PRIV_ privilege names in order to avoid conflicting with the POSIX.1e CAP_ naming scheme, so that if that scheme is implemented as a wrapper to the underling priv(9) privilege API in the kernel, there won't be problems. Avoiding conflicts with the Solaris scheme would be useful, but is more tricky (possibly because it is more sensible :-). I think it's useful to compare the Solaris privilege set, and also consider whether in the future we want to adopt a privilege model along similar lines. However, given that the privilege models across various UNIX and non-UNIX systems are all similar and yet completely different, I'm not sure that being similar and yet different from Solaris is particularly a problem -- more, say, than being similar but different from IRIX, Linux, Windows, etc. Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Thu Sep 14 00:53:12 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1335D16A407 for ; Thu, 14 Sep 2006 00:53:12 +0000 (UTC) (envelope-from max@love2party.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DBFD43D45 for ; Thu, 14 Sep 2006 00:53:11 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by cyrus.watson.org (Postfix) with ESMTP id AC5FF46C12 for ; Wed, 13 Sep 2006 20:53:10 -0400 (EDT) Received: from [88.64.185.148] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis), id 0MKwpI-1GNfTY1LqT-0004Ll; Thu, 14 Sep 2006 02:53:09 +0200 From: Max Laier Organization: FreeBSD To: freebsd-arch@freebsd.org Date: Thu, 14 Sep 2006 02:52:58 +0200 User-Agent: KMail/1.9.3 References: <20060913150912.J1823@fledge.watson.org> In-Reply-To: <20060913150912.J1823@fledge.watson.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1904315.JXRpWPjbaF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609140253.06818.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: trustedbsd-discuss@trustedbsd.org, Robert Watson Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 00:53:12 -0000 --nextPart1904315.JXRpWPjbaF Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 13 September 2006 16:29, Robert Watson wrote: =2E.. > - It makes it possible to migrate the "allowed in jail" decision from > the calling context to the privilege management code. This will allow > us to gradually eliminate the passing of flags to the privilege check > code under almost all circumstances. In my patch, I have added a new > function to kern_jail.c, prison_priv_check(), which essentially > contains a switch statement listing the privileges allowed in jail, and > denying the rest. Configurable privileges, raw socket access, etc, can > now occur in one place, and open the door to introducing more easy > per-jail configuration of privilege. After these changes, the > implementation is much more centralized in kern_jail.c. =2E.. > - Privileges under this model are not treated as maskable values. In > practice, there are very few situations in which it is useful to > check multiple privileges at once, and permitting that encourages > authors adding new privilege checks to combine privileges in a way that > makes it opaque to the privilege mechanism as to which privilege was > actually needed. This also has the benefit of making it much > easier/more efficient to add new privileges as required, as it doesn't > require expanding a bit string representing the privileges. Most > POSIX.1e implementations limit the total number of privileges to 32 to > 64 in order to have them fit in a bitmask easily. I tried to read with care and understand the reason behind not using=20 flags - at least partly. I didn't find any in your email so: Wouldn't=20 it make sense to mask off at least part of it to encode some general=20 decision into the privilege value directly. A la: #define ALLOW_IN_JAIL 0x8000000 #define PRIV_KTRACE (42 | ALLOW_IN_JAIL) Right now, prison_priv_check() is looking rather scary to me. If=20 something else wants to decide on finer granularity, alright, but in my=20 opinion it's easier (more obvious) to keep the "normal" information in=20 the .h file where the privileges are defined and described - as we are=20 aiming for centralization of the decision and information. On top of=20 that the caller could mask off ALLOW_IN_JAIL if they think it's not=20 appropriate in a special use case of the privilege. On an aside, it would be nice to have "optional" privilege checks i.e. in=20 pf we trust the file permissions on /dev/pf (plus securelevel) to decide=20 if someone is allowed to fiddle with the firewall. It would be nice to=20 have a way of allowing MAC (or whatever) to decide this - without=20 disallowing non-root use as long as the policy doesn't care. In code=20 that would mean a "if (flags & SUSER_OPTIONAL) return (0);" just before=20 the "if (suser_enabled) ..."-block. The policy would have it's go in=20 mac_priv_check() above. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1904315.JXRpWPjbaF Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFCKfyXyyEoT62BG0RAm+oAJ0R+b7GOdcs8AWmgcTeH0zKRtcnXACfWJaz N4Ze73ntubwq04t0FmTpn9s= =Gogc -----END PGP SIGNATURE----- --nextPart1904315.JXRpWPjbaF-- From owner-trustedbsd-discuss@FreeBSD.ORG Thu Sep 14 06:17:27 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE2EC16A40F for ; Thu, 14 Sep 2006 06:17:27 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5071443D45 for ; Thu, 14 Sep 2006 06:17:27 +0000 (GMT) (envelope-from Alexander@Leidinger.net) Received: from www.ebusiness-leidinger.de (jojo.ms-net.de [84.16.236.246]) by cyrus.watson.org (Postfix) with ESMTP id AC27346BF5 for ; Thu, 14 Sep 2006 02:17:26 -0400 (EDT) Received: from Andro-Beta.Leidinger.net (p54A5D428.dip.t-dialin.net [84.165.212.40]) (authenticated bits=0) by www.ebusiness-leidinger.de (8.13.6/8.13.6) with ESMTP id k8E5t7pn013906; Thu, 14 Sep 2006 07:55:08 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from localhost (webmail.Leidinger.net [192.168.1.102]) by Andro-Beta.Leidinger.net (8.13.4/8.13.3) with ESMTP id k8E6HENg001182; Thu, 14 Sep 2006 08:17:14 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from psbru.cec.eu.int (psbru.cec.eu.int [158.169.131.14]) by webmail.leidinger.net (Horde MIME library) with HTTP; Thu, 14 Sep 2006 08:17:03 +0200 Message-ID: <20060914081703.umum0k4x3k88k4ko@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Thu, 14 Sep 2006 08:17:03 +0200 From: Alexander Leidinger To: Robert Watson References: <20060913150912.J1823@fledge.watson.org> In-Reply-To: <20060913150912.J1823@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) / FreeBSD-7.0 X-Virus-Scanned: by amavisd-new X-Mailman-Approved-At: Thu, 14 Sep 2006 11:28:00 +0000 Cc: arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 06:17:28 -0000 Quoting Robert Watson (from Wed, 13 Sep 2006 =20 15:29:14 +0100 (BST)): > privilege list in src/sys/priv.h: > ... > PRIV_UFS_SETQUOTA, /* setquota(). */ > PRIV_UFS_SETUSE, /* setuse(). */ > PRIV_UFS_EXCEEDQUOTA, /* Exempt from quota restrictions. */ Is this something special to UFS, or did you use the UFS part only =20 because no other filesystem in the tree has support for quotas? > - It makes it possible for the MAC Framework to allow policies to grant > privilege. Policy modules can register interest in privilege checks, an= d > then specifically grant access to privileges as they see fit. > > In order to demonstrate MAC Framework integration with the privilege > system, I have implemented a sample policy module, mac_privs, which > allows rule-based granting of privileges to specific uids. Using a > command line tool, appropriately privileged processes can modify the > rule list, granting named privileges to unprivileged users. This is > not a particularly mature example of a privilege-granting policy, as > ideally privilege is something that is available but not always > exercised -- i.e., similar to a setuid root binary that switches the > effective uid to root only when it specifically needs privilege. > However, it's quite useful in practice, and demonstrates how > configurable policies can interact with kernel privilege decisions. > It is my intent, following review, discussion, cleanup, etc, to commit > the priv(9) work, sans mac_privs, to the 7.x tree in the next couple of > weeks. The mac_privs policy is a sample policy that will continue to be > maintained as part of the TrustedBSD Project, but not merged into the > base tree at this point. Is the mac_privs policy just a proof of concept? It would be nice to =20 allow more fine grained access to some users or applications. The =20 later one would need some way to identify the application/binary in a =20 safe way, maybe by using extended attributes in the FS. Bye, Alexander. --=20 Real programmers don't write specs -- users should consider themselves lucky to get any programs at all and take what they get. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID =3D B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID =3D 72077137 From owner-trustedbsd-discuss@FreeBSD.ORG Thu Sep 14 21:49:24 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 41C0916A492; Thu, 14 Sep 2006 21:49:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A440643D49; Thu, 14 Sep 2006 21:49:21 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E9CA946BE2; Thu, 14 Sep 2006 17:49:19 -0400 (EDT) Date: Thu, 14 Sep 2006 22:49:19 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200609140253.06818.max@love2party.net> Message-ID: <20060914224516.G53301@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 21:49:24 -0000 On Thu, 14 Sep 2006, Max Laier wrote: > I tried to read with care and understand the reason behind not using flags - > at least partly. I didn't find any in your email so: Wouldn't it make > sense to mask off at least part of it to encode some general decision into > the privilege value directly. A la: > > #define ALLOW_IN_JAIL 0x8000000 > > #define PRIV_KTRACE (42 | ALLOW_IN_JAIL) > > Right now, prison_priv_check() is looking rather scary to me. If something > else wants to decide on finer granularity, alright, but in my opinion it's > easier (more obvious) to keep the "normal" information in the .h file where > the privileges are defined and described - as we are aiming for > centralization of the decision and information. On top of that the caller > could mask off ALLOW_IN_JAIL if they think it's not appropriate in a special > use case of the privilege. I'd like to avoid encoding the behavior of the jail policy into the privilege mechanism if we can avoid it, or changes in prison policy won't be properly propagated to binary modules, etc. Imagine for a moment that the prison_check_priv() function contained none of the commented out privileges, which will be its final state, and with comments explaining which particular clusters of privileges are allowed (and are safe) in Jail. The commented out privileges listed there are primarily so I can make sure all the privileges are in sync during development, and not required in the long term. > On an aside, it would be nice to have "optional" privilege checks i.e. in pf > we trust the file permissions on /dev/pf (plus securelevel) to decide if > someone is allowed to fiddle with the firewall. It would be nice to have a > way of allowing MAC (or whatever) to decide this - without disallowing > non-root use as long as the policy doesn't care. In code that would mean a > "if (flags & SUSER_OPTIONAL) return (0);" just before the "if > (suser_enabled) ..."-block. The policy would have it's go in > mac_priv_check() above. Just to make sure I understnad what you're describing: you would like a way to tell the kernel that specific privileges can have a relaxed policy for granting the privilege? I.e., throwing a global flag that grants the privilege to arbitrary credentials, rather than just root credentials? Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Thu Sep 14 21:53:41 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CF6216A407; Thu, 14 Sep 2006 21:53:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DFBE43D46; Thu, 14 Sep 2006 21:53:41 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 55E7546BE2; Thu, 14 Sep 2006 17:53:40 -0400 (EDT) Date: Thu, 14 Sep 2006 22:53:40 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Alexander Leidinger In-Reply-To: <20060914081703.umum0k4x3k88k4ko@webmail.leidinger.net> Message-ID: <20060914224925.W53301@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <20060914081703.umum0k4x3k88k4ko@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 21:53:41 -0000 On Thu, 14 Sep 2006, Alexander Leidinger wrote: > Quoting Robert Watson (from Wed, 13 Sep 2006 15:29:14 > +0100 (BST)): > >> privilege list in src/sys/priv.h: > >> ... >> PRIV_UFS_SETQUOTA, /* setquota(). */ >> PRIV_UFS_SETUSE, /* setuse(). */ >> PRIV_UFS_EXCEEDQUOTA, /* Exempt from quota restrictions. */ > > Is this something special to UFS, or did you use the UFS part only because > no other filesystem in the tree has support for quotas? They were labeled as UFS because they are currently somewhat UFS-specific, but you're right: it might well make sense to rename them to VFS as other file systems may gain support in the future. I'll make this change in P4. >> It is my intent, following review, discussion, cleanup, etc, to commit the >> priv(9) work, sans mac_privs, to the 7.x tree in the next couple of weeks. >> The mac_privs policy is a sample policy that will continue to be maintained >> as part of the TrustedBSD Project, but not merged into the base tree at >> this point. > > Is the mac_privs policy just a proof of concept? It would be nice to allow > more fine grained access to some users or applications. The later one would > need some way to identify the application/binary in a safe way, maybe by > using extended attributes in the FS. Yes, I consider it a proof of concept. Per my comments in a previous e-mail, I'm hesitant to rush into a modified privilege policy that either restricts the root user, or grants privileges to other processes, without a lot of careful thinking. The POSIX.1e-like privilege models used in many operating systems contain many subtleties, and in prior work on FreeBSD to experiment with those models, it was clear the level of risk in such a change was high. You can see some of this complexity by looking at the inheritence/etc logic in the linux POSIX.1e code, the Solaris privileges(5) man page, or the POSIX.1e draft specs. A lot of the complexity comes out of the binding of privileges to files (similar to setuid) and the details of the inheritence and compatibility support for "unaware" applications. If you take a glance at the trustedbsd_cap branch, you can find an implementation of POSIX.1e capabilities on FreeBSD from several years ago. I'm not opposed to revisiting this general issue, and in fact, the priv(9) work is intended to facilitate exactly that sort of work, but we need to do it very carefully. Robert N M Watson Computer Laboratory University of Cambridge From owner-trustedbsd-discuss@FreeBSD.ORG Fri Sep 15 00:09:01 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0B1716A407 for ; Fri, 15 Sep 2006 00:09:01 +0000 (UTC) (envelope-from max@love2party.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8A0043D46 for ; Fri, 15 Sep 2006 00:09:00 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by cyrus.watson.org (Postfix) with ESMTP id A541246BE4 for ; Thu, 14 Sep 2006 20:08:59 -0400 (EDT) Received: from [88.64.182.121] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GO1GJ0KnT-0002n7; Fri, 15 Sep 2006 02:08:56 +0200 From: Max Laier Organization: FreeBSD To: Robert Watson Date: Fri, 15 Sep 2006 02:08:45 +0200 User-Agent: KMail/1.9.3 References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> <20060914224516.G53301@fledge.watson.org> In-Reply-To: <20060914224516.G53301@fledge.watson.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1696485.Dd1bkIxD5j"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609150208.53002.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 00:09:01 -0000 --nextPart1696485.Dd1bkIxD5j Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 14 September 2006 23:49, Robert Watson wrote: > On Thu, 14 Sep 2006, Max Laier wrote: > > I tried to read with care and understand the reason behind not using > > flags - at least partly. I didn't find any in your email so:=20 > > Wouldn't it make sense to mask off at least part of it to encode some > > general decision into the privilege value directly. A la: > > > > #define ALLOW_IN_JAIL 0x8000000 > > > > #define PRIV_KTRACE (42 | ALLOW_IN_JAIL) > > > > Right now, prison_priv_check() is looking rather scary to me. If > > something else wants to decide on finer granularity, alright, but in > > my opinion it's easier (more obvious) to keep the "normal" > > information in the .h file where the privileges are defined and > > described - as we are aiming for centralization of the decision and > > information. On top of that the caller could mask off ALLOW_IN_JAIL > > if they think it's not appropriate in a special use case of the > > privilege. > > I'd like to avoid encoding the behavior of the jail policy into the > privilege mechanism if we can avoid it, or changes in prison policy > won't be properly propagated to binary modules, etc. Imagine for a > moment that the prison_check_priv() function contained none of the > commented out privileges, which will be its final state, and with > comments explaining which particular clusters of privileges are allowed > (and are safe) in Jail. The commented out privileges listed there are > primarily so I can make sure all the privileges are in sync during > development, and not required in the long term. Okay. It just looks strange/scary and I though that a flag would be a=20 good way to solve/work around that. Might be a matter of taste, though. > > On an aside, it would be nice to have "optional" privilege checks > > i.e. in pf we trust the file permissions on /dev/pf (plus > > securelevel) to decide if someone is allowed to fiddle with the > > firewall. It would be nice to have a way of allowing MAC (or > > whatever) to decide this - without disallowing non-root use as long > > as the policy doesn't care. In code that would mean a "if (flags & > > SUSER_OPTIONAL) return (0);" just before the "if (suser_enabled) > > ..."-block. The policy would have it's go in mac_priv_check() above. > > Just to make sure I understnad what you're describing: you would like a > way to tell the kernel that specific privileges can have a relaxed > policy for granting the privilege? I.e., throwing a global flag that > grants the privilege to arbitrary credentials, rather than just root > credentials? I would like to give additional policy checks (such as MAC) a chance to=20 deny privileges that do not necessarily require root right now, but might=20 be interesting nontheless. In the case of pf you might want to chown /dev/pf to "firewall operator"=20 and be able to enforce this with your policy module additionally. Right=20 now, the only way to restrict/check access to /dev/pf is the filesystem=20 privileges on it + securelevel settings. I'm coming from this very restricted use case, but I though it might be=20 worth noting that there are places where privileges are coming from=20 somewhere else. A privilege policy module might want to have a look=20 still. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1696485.Dd1bkIxD5j Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFCe8UXyyEoT62BG0RApgQAJ4p1qVaNAOrOcylhEf/GYWwRb6YIwCcCG1y aByQQOSxv+Id/Oc0tBf3OKc= =zSTZ -----END PGP SIGNATURE----- --nextPart1696485.Dd1bkIxD5j-- From owner-trustedbsd-discuss@FreeBSD.ORG Fri Sep 15 08:33:59 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0C5416A403 for ; Fri, 15 Sep 2006 08:33:59 +0000 (UTC) (envelope-from ceri@submonkey.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62CD043D45 for ; Fri, 15 Sep 2006 08:33:59 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by cyrus.watson.org (Postfix) with ESMTP id 36CB646BF7 for ; Fri, 15 Sep 2006 04:33:57 -0400 (EDT) Received: from ceri by shrike.submonkey.net with local (Exim 4.63 (FreeBSD)) (envelope-from ) id 1GO991-0001lN-K4; Fri, 15 Sep 2006 09:33:55 +0100 Date: Fri, 15 Sep 2006 09:33:55 +0100 From: Ceri Davies To: Robert Watson Message-ID: <20060915083355.GK93949@submonkey.net> Mail-Followup-To: Ceri Davies , Robert Watson , arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org References: <20060913150912.J1823@fledge.watson.org> <20060913184115.GE93949@submonkey.net> <20060913194559.U53301@fledge.watson.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TmwHKJoIRFM7Mu/A" Content-Disposition: inline In-Reply-To: <20060913194559.U53301@fledge.watson.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.13 (2006-08-11) Sender: Ceri Davies Cc: arch@FreeBSD.org, trustedbsd-discuss@TrustedBSD.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2006 08:34:00 -0000 --TmwHKJoIRFM7Mu/A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 13, 2006 at 09:28:24PM +0100, Robert Watson wrote: > A couple of points: >=20 > First, the system present in Solaris is, in effect, a variant of some dra= ft=20 > of POSIX.1e (or possibly vice versa), albeit with differently named=20 > constants. All the comments I made regarding POSIX.1e apply to it. =20 > Specifically, the priv(9) kernel API offers much more fine-grained=20 > assignment of rights relating to system administration, etc, correspondin= g=20 > specifically to the set of privileges defined in our kernel. Agreed. > Second, privileges(5) describes an alternative privilege model exposed to= =20 > userspace, whereas the work I've described is an in-kernel API for=20 > privilege checking. It doesn't imply (or, for that matter, implement) a= =20 > change in the OS privilege model, although clearly it would facilitate=20 > doing that in the future. Since priv(9) is not an application API, it's= =20 > not clear that application portability is an immediate concern. That's the difference I was looking for, thanks. > I think it's useful to compare the Solaris privilege set, and also consid= er=20 > whether in the future we want to adopt a privilege model along similar=20 > lines. However, given that the privilege models across various UNIX and= =20 > non-UNIX systems are all similar and yet completely different, I'm not su= re=20 > that being similar and yet different from Solaris is particularly a probl= em=20 > -- more, say, than being similar but different from IRIX, Linux, Windows,= =20 > etc. True enough. Thanks. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --TmwHKJoIRFM7Mu/A Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFCmVzocfcwTS3JF8RAm2WAJ0VyFfVnLFaUhqJNnAr2AcVYkEiYwCZAZXd Osof4g2d8KRP9U5HbWH/JSA= =4dhl -----END PGP SIGNATURE----- --TmwHKJoIRFM7Mu/A-- From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 07:58:44 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6444216A492 for ; Wed, 20 Sep 2006 07:58:44 +0000 (UTC) (envelope-from hbn74@tom.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 80F7943E09 for ; Wed, 20 Sep 2006 07:57:49 +0000 (GMT) (envelope-from hbn74@tom.com) Received: from tom.com (unknown [121.55.40.29]) by cyrus.watson.org (Postfix) with ESMTP id E11DA46BA3 for ; Wed, 20 Sep 2006 03:57:44 -0400 (EDT) From: =?GB2312?B?IjnUwjI4LTI5yNUvyc+6oyI=?= To: "trustedbsd-discuss" Content-Transfer-Encoding: 8bit Date: Wed, 20 Sep 2006 15:57:43 +0800 X-Priority: 2 X-Mailer: Foxmail 5.0 beta2 Message-Id: <20060920075744.E11DA46BA3@cyrus.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: =?gb2312?b?t8eyxs7xvq3A7bXEssbO8bncwO3Js8XMxKPE4r/Os8w=?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfs58@tom.com List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 07:58:44 -0000 쵥λҵѯ޹˾ DzIJ -ɳģγ [ ] ÿһλͼԱضãӼǶȺΪķҲ ȴһ壬Ӯʹ Ӫ޷ܡνֶϣʹÿλͼԱ ϰĽǶȽ˼ , Чعܲ壬ʵֹ뾭 ӪĿһԣγͨɳģʵʩʽѧÿС 5-6 ģ⹫˾ۺͲ̣ѧԱģԿ໥ ӪҵȤͬʱʦѧԱͬģ빤ߣʹѧԱ " ͬ " ɴ know-what know-why תγͨʮ˸ʵʰʹҵͼԱղ ֪ʶòϢĽߣʵֹЧ󻯡 Իл˽, ճIJ; պϺĹ߷ , ϰ˼άͬ ͨɱҵЧͳɱ; ͨ߼ЧӦʵʩȷijɱߣ ҵ۵ݺͷӪҵ , ʵʩѧҵˡ [ ] һҵݼƵ 1Ƶְ 2רҵ˼άģʽ 3Ļ 4ĸ 5ƹʮ Ķͷ񱨱 1ƱĹ 2ʲծ ʲծ߼ṹҪݣ͸ʲծĸ֣ ʲծӦտӦ̶ʲɶȨ棩 ҵӵкӵҵ ܸ˵ ---- ʱṹ 3 ߼ṹҪ ȷȷ ƻ¼ μɱ , ӳÿֲƷʵʹ μ㹲ͬɱ μϢ˰ǰ; 4ֽĶ ֽ߼ṹҪ 5Ʊ֮Ĺϵ Dupont ģ͵Ӧã 6δӻƱҵӪ״ o жҵҵˮƽ òݷƾӪЧ 1ʷ 2ؼָ ʲ / ʲ Ӫҵ / ʲת ʲתʲ 3ӯʲرʡɶȨرʡʲ 4ָʡծ / ȨʡӪ˳ծ 5񱨱ۺϽۺòϢ͸ӹ˾ˮƽ ijй˾IJ״ӪЧ ġɱɱ 1Ʒɱĸ͹ ɱϰԷ ȫɱ 䶯ɱ 2ã֣У 3̶ɱ߼ЧӦ 4ĿɱƲƷɱ֤ˮƽ 5 ABC ҵɱйʵʩϸɱ 6Գûɱͻɱȷ 7θƲɹȻڵԸҵ״ ۺϰ 塢Ͷʾ 1ͼĿԷ 2豸µľ߷ 3θݳɱгк 4ͶĿֽ 5ʽʱֵ 6ͶĿ۷ ڷ ֵ ڲʷ ۺϰ Чڲ 1ȷγɱ 2ʵʩڲ 3ԳɱĽзÿ 4Ľҵ 5ͶĽҵ 6ڲгйʹÿŶΪ o ֣ GE ͺļЧ [ ʦ ] Mr Wang ˶ʿ߼ʦְҵѵʦЭ ְ֤ҵѵʦο˾ˡҵ̾ ƷʦӪܼȸ߼ְ꣬ͬʱ < ֵ > ־ˡʡӪҵж µְ񣬶ҵно ʦҪ IE Ӧáɱơƾߵȿγ̵ĽڣȺΪ IBM TDK ¡ɿڿ֡ʦԴ֡ѩơơʳƷڽݵӡ INTEX ܽ𽺡 ITT šϿƼĿյͨѶͨšԣӦò ( й ) ˾ - ɽʯйڹ˾Ŵϡûšɷݡ NEC ӡ̫Ըš PHILIPS ڿƼ䡢ǿ TCL ϺءŬϺص֪ҵṩĿ רѵʦڿξḻĬڶг߼ ѧԱϲ [ʱ/ص/] α/ѯ: лС 021-5118 7126 ʱ: 928-29 (ġ) ص: Ϻ : 1980Ԫ/(̲,͵) ϲμ,һ ѵѯĿ: ڹ˾ɱԼȸĿγѵĿѯ, ҪҪǽΪ ѵѯĿ ѵϵ 021-5118 7132 С ע:𾴵Ŀͻ ãΪ---;Ĺ㣬ڴǸ ;Ҫ,뼼ϵ ϵ绰: 021-5118 7131 С From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 08:13:56 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 45E6516A40F for ; Wed, 20 Sep 2006 08:13:56 +0000 (UTC) (envelope-from lebnurkkj@rima-tde.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FD5343D7F for ; Wed, 20 Sep 2006 08:13:46 +0000 (GMT) (envelope-from lebnurkkj@rima-tde.net) Received: from 246.Red-83-40-70.dynamicIP.rima-tde.net (68.Red-88-8-240.dynamicIP.rima-tde.net [88.8.240.68]) by cyrus.watson.org (Postfix) with ESMTP id 474C346D6A for ; Wed, 20 Sep 2006 04:13:33 -0400 (EDT) Message-ID: <000f01c6dc8c$a89afea0$f6462853@joaquin> From: "Web" To: trustedbsd-discuss@trustedbsd.org Date: Wed, 20 Sep 2006 10:13:30 -0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_000B_01C6DC9D.6C2184B0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: American. X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 08:13:56 -0000 ------=_NextPart_000_000B_01C6DC9D.6C2184B0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable and Near ZIP City ex: Chicago Profiles With Photos Only Ideas Personals = Features Trip Anatomy Dinner Pad Clues Learn Trust Again Fun Bachelor = Happy Hour Drink Decoder Type CentersIs date into Know signs theres real = Centers: Baby Boomer Planner Things DoFall Love: All Planning: NonDinner = Dates Do: Hot This Weekend Plans: Nightlife Guides Great Outdoors = Cultures Heritage Sports Feng Shui LoveGuide Whats Sexy Signs that = Dazzle First Up Lover Improve Life Bedroom Correct Romantic Mistakes = Attract Ideal Lucky Right had much luck love recently Well dont worry = There ways improve mojo. Unlucky Turn Around expert help with search. Get the latest messages emailed to Alerts. = Terms of Service Privacy Policy copy fd Find Singles by Match.com Online Fun Bachelor Happy Hour Drink Decoder Type CentersIs date into Know = signs theres real Centers: Baby Boomer Planner Things DoFall Love: All theres real Centers: Baby Boomer Planner Things DoFall Love: All = Planning: NonDinner Dates Do: Hot This Weekend Plans: Nightlife Guides = Great Outdoors Cultures Heritage Sports Feng Shui LoveGuide Whats Sexy = Signs that Dazzle First Up Lover Improve Life Bedroom Correct Romantic = Mistakes Attract Ideal Lucky Right had much luck love recently Well dont = worry There ways improve mojo. Unlucky Turn Around Speak more raquo Advanced Search Members: users: Join Alerts Create new group = About Searched all groups Your search did not match any Make sure words = are spelled Try different keywords. general fewer your on can try = Answers for expert help with search. Get love recently Well dont worry There ways improve mojo. Unlucky Turn = Around Speak Are Really That Talk LoveBed Buddies Good BadAre friends = benefits helpful when trying find mate they interfere ItFriends Lust = Sight Keyword: Site emailed to Alerts. Terms of Service Privacy Policy copy fd Find Singles = by Match.com Online Dating Advice Plan Date AOL get started Free Trial = Subscribe Now In meet singles Now: ------=_NextPart_000_000B_01C6DC9D.6C2184B0-- From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 09:23:36 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC88C16A4B3 for ; Wed, 20 Sep 2006 09:23:36 +0000 (UTC) (envelope-from dyhf40hlmvh@fab4fan.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F6043D6D for ; Wed, 20 Sep 2006 09:23:36 +0000 (GMT) (envelope-from dyhf40hlmvh@fab4fan.com) Received: from ppp83-237-232-246.pppoe.mtu-net.ru (ppp83-237-232-246.pppoe.mtu-net.ru [83.237.232.246]) by cyrus.watson.org (Postfix) with SMTP id 383A646C4E for ; Wed, 20 Sep 2006 05:23:34 -0400 (EDT) Message-Id: <4426D563.759025.41081@EHRV> X-Provags-ID: insightquotes.com.every1.net abuse@insightquotes.com.every1.net login:awztmfGdARtqEn4tlSrIaCN2KwvspBYc X-FID: 83E85DBC-0610-08AF-B2E9-85CDEA77DCB6 Date: Wed, 20 Sep 2006 04:23:21 -0600 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: trustedbsd-discuss@trustedbsd.org From: "Effie" Cc: Subject: ONLINE MEDICATION? easy! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 09:23:36 -0000 What we are referring to of course is the wonderful "blue pill" for erection difficulties everyone is talking about. We not only carry it, but we do at 1.56 cents each. Take a peek at: http://mv.com>.yqkcdp3b9wru8s8g98vl38563wq3ll.badzooks.ch Enjoy! Sincerely, Effie Customer Service Team married plow From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 09:28:57 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D45D016A494 for ; Wed, 20 Sep 2006 09:28:57 +0000 (UTC) (envelope-from karlheg@chocofan.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4AA2E43D69 for ; Wed, 20 Sep 2006 09:28:44 +0000 (GMT) (envelope-from karlheg@chocofan.com) Received: from catv-50621b11.catv.broadband.hu (catv-50621b11.catv.broadband.hu [80.98.27.17]) by cyrus.watson.org (Postfix) with SMTP id D059346B03 for ; Wed, 20 Sep 2006 05:28:27 -0400 (EDT) Received: from chocofan.com (chocofan-com.mr.outblaze.com [205.158.62.177]) by catv-50621b11.catv.broadband.hu (Postfix) with ESMTP id 7B4228DE8B for ; Wed, 20 Sep 2006 13:38:53 +0400 Message-ID: <010101c6dc98$dd1f93ca$ec2f0c74@chocofan.com> From: To: Trustedbsd Date: Wed, 20 Sep 2006 13:38:53 +0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.5; AVE: 6.17.0.2; VDF: 6.17.0.5; host: catv-50621b11.catv.broadband.hu) Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Н а л о г и ? С о б с т в е н н о с т ь ? О т в е т с т в е н н о т ь ? Б е з о п а с н о с т ь ? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 09:28:58 -0000 =d4=ee=ec=e0 =c2=e8=f2=e0=eb=fc=e5=e2=e8=f7 =cd=e0=e4=e5=e6=e8=ed From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 09:33:22 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D524A16A4AB for ; Wed, 20 Sep 2006 09:33:22 +0000 (UTC) (envelope-from chowes@kellychen.com) Received: from p54939661.dip0.t-ipconnect.de (p54939661.dip0.t-ipconnect.de [84.147.150.97]) by mx1.FreeBSD.org (Postfix) with SMTP id 8AA8C43D8A for ; Wed, 20 Sep 2006 09:32:20 +0000 (GMT) (envelope-from chowes@kellychen.com) Received: from kellychen.com (kellychen-com.mr.outblaze.com [205.158.62.181]) by p54939661.dip0.t-ipconnect.de (Postfix) with ESMTP id AF2B0C8C71 for ; Wed, 20 Sep 2006 13:42:53 +0400 Message-ID: <111101c6dc99$82c950d5$40c69b79@kellychen.com> From: To: Trustedbsd Date: Wed, 20 Sep 2006 13:42:53 +0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Н а л о г и ? С о б с т в е н н о с т ь ? О т в е т с т в е н н о т ь ? Б е з о п а с н о с т ь ? X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 09:33:23 -0000 =c2=ff=f7=e5=f1=eb=e0=e2 =c2=eb=e0=f1=e8=e5=e2=e8=f7 =c3=e0=eb=e0=ec=ee=e2= From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 09:44:01 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E19416A4EC for ; Wed, 20 Sep 2006 09:44:01 +0000 (UTC) (envelope-from trustdept@alpinebank.com) Received: from mx1.freebsd.org (218-169-232-204.dynamic.hinet.net [218.169.232.204]) by mx1.FreeBSD.org (Postfix) with SMTP id 3617243D6D for ; Wed, 20 Sep 2006 09:43:59 +0000 (GMT) (envelope-from trustdept@alpinebank.com) From: "trustdept@alpinebank.com" To: trustedbsd-discuss@freebsd.org Message-Id: <20060920094359.3617243D6D@mx1.FreeBSD.org> Date: Wed, 20 Sep 2006 09:43:59 +0000 (GMT) MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1251" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Surprise her with Viagra Soft Tabs effect!ekV62gsqbUgs8 X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "trustdept@alpinebank.com" List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 09:44:01 -0000 Do you w@nt to h@ve the best sex ever? Soft Viagra tabs will make your dreams come true. 5mc0xOh4zm8aY You are a businessman and have no time for a long sexual stimulation. Our Soft Viagra tabs work in less than 15 minutes. [1]http://www.onlinepharmsite.com/?dlBFCpsDoV24u ay6Ur0lpJZX5gfDCHezt7DF8XbFRLOnoCN8gI5m 4. There exist different means of observation, which also influence the construction of theories. Scientists develop a certain style which expresses itself as a subculture. The "ethnology of the cognition process" studies the different "tribes" that generate these subcultures, in the same way as traditional ethnology tries to understand non-western cultures. On what does the social prestige of the scientist, and the respect for the laboratory depend? Who or what determines whether a new theory is "scientific"? The verification of our theories is a collective process, and the process of convincing is socially determined. Group conflicts and hierarchies between different scientific groups will thus have an influence on our body of knowledge. References 1. http://www.onlinepharmsite.com/ From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 10:31:35 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4614716A40F for ; Wed, 20 Sep 2006 10:31:35 +0000 (UTC) (envelope-from clampclang@rrict.nl) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B88F43D7B for ; Wed, 20 Sep 2006 10:31:29 +0000 (GMT) (envelope-from clampclang@rrict.nl) Received: from MICROSOFT (unknown [85.107.219.233]) by cyrus.watson.org (Postfix) with ESMTP id D52F446D82 for ; Wed, 20 Sep 2006 06:31:27 -0400 (EDT) Message-ID: <73388150775192.AA15E58758@BTL6SAV4> From: "Hung" To: Date: Wed, 20 Sep 2006 13:30:38 +0300 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: e5PS69ovONPgos0wXYUGaH3XdWhLFKTBShlk Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Cc: Subject: Just published Enhanced male power and unlimited prowess with your girl The best products for the winning guys X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 10:31:35 -0000 Dear customer. Boost your manhood to astonishing levels Everything a real man would ever need.Make your girlfriend or wife speechless with increased hardness, richer orgsms and more power in bed Impress your girl with prolonged hardness, plentiful explosions and increased duration Come on in here: http://www.loganiaim.st Hung Posey Constant dripping wears away the stone Judge not that you be not judgedNever look a gift horse in the mouth Age is a very high price to pay for maturity Don't mind how bird vex, it can't vex with tree. From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 10:45:19 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D92A916A47E for ; Wed, 20 Sep 2006 10:45:19 +0000 (UTC) (envelope-from fjelthor@usedoffset.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85BCA43D55 for ; Wed, 20 Sep 2006 10:45:19 +0000 (GMT) (envelope-from fjelthor@usedoffset.com) Received: from localhost (unknown [59.93.116.98]) by cyrus.watson.org (Postfix) with SMTP id BB06746C2A for ; Wed, 20 Sep 2006 06:45:01 -0400 (EDT) Message-ID: <000001c6dca2$c3893680$0100007f@localhost> From: "James Ross" To: Date: Wed, 20 Sep 2006 16:17:09 +0500 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: About software X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 10:45:19 -0000 More than 200 software titles from world leading manufacturers =20 a.. MS Windows XP Professional with SP2 - $49.95=20 b.. Adobe Photoshop CS2 V 9.0 - $69.95=20 c.. Microsoft Office XP Professional - $49.95=20 d.. Adobe Acrobat 5.0 - $39.95 Visit our Website From owner-trustedbsd-discuss@FreeBSD.ORG Wed Sep 20 12:28:11 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9780316A403 for ; Wed, 20 Sep 2006 12:28:11 +0000 (UTC) (envelope-from winston4254@yahoo.co.jp) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4423043D62 for ; Wed, 20 Sep 2006 12:28:11 +0000 (GMT) (envelope-from winston4254@yahoo.co.jp) Received: from trustedbsd.org (unknown [59.38.25.146]) by cyrus.watson.org (Postfix) with SMTP id 5E63746D7D for ; Wed, 20 Sep 2006 08:28:05 -0400 (EDT) To: From: =?iso-2022-jp?B?GyRCJGokRCQzGyhC?= MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit Message-Id: <20060920122805.5E63746D7D@cyrus.watson.org> Date: Wed, 20 Sep 2006 08:28:05 -0400 (EDT) Cc: Subject: =?iso-2022-jp?b?GyRCN0hCUyRHJDokQyRIQlQkQyRGJCQkayROJEshRBsoQg==?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: winston4254@yahoo.co.jp List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 12:28:11 -0000 $B$5$C$-$b$7$+$7$F;d$N7HBS$KO"Mm$7$F$/$l$^$7$?!)HsDLCN$GEEOC$7$F$/$l$^$7$?!)(B $B$4$a$s$J$5$$!#Ce?.$K5$IU$+$J$/$C$F=P$l$^$;$s$G$7$?!#$b$&0l2sO"Mm$7$F$/$l$^$;$s$+!)(B http://www.jpnbiz.com/r_blog $B2CG X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 691E216A4C8 for ; Wed, 20 Sep 2006 13:22:25 +0000 (UTC) (envelope-from aambo@surfeador.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A69643D53 for ; Wed, 20 Sep 2006 13:22:24 +0000 (GMT) (envelope-from aambo@surfeador.com) Received: from delphi.com (unknown [211.173.137.232]) by cyrus.watson.org (Postfix) with SMTP id 8E30046BD7 for ; Wed, 20 Sep 2006 09:22:17 -0400 (EDT) Received: from surfeador.com (surfeador-com.mr.outblaze.com [205.158.62.177]) by zapopan.com (Postfix) with ESMTP id D8DEB58D26 for ; Wed, 20 Sep 2006 21:17:15 -0400 Date: Wed, 20 Sep 2006 21:17:15 -0400 From: Ivanov V.S. X-Mailer: The Bat! (v2.00.7) Personal X-Priority: 3 Message-ID: <0543998548.20060920211715@surfeador.com> To: trustedbsd-discuss MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit X-RAV-Antivirus: This e-mail has been scanned for viruses on host: zapopan.com Cc: Subject: =?windows-1251?b?0/fl8iDiIPLu8OPu4vv1IOru7O/g7ej/9Q==?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 13:22:25 -0000 !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ջ 4 2006 ., 10.00 17.00 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : .. - , , , , . . 1. , 58- 06.06.2005. 22 2005 . N 119-. 2. . . 3. . -- . -- , .., . -- : ; ; 18/02. -- . -- , , , , : -; ; , .., . -- . -- , . 4. . -- , . . -- ( ). -- .., . -- . 5. . . -- (, , ). -- , , . 6. . -- . -- . -- . -- . 7. . -- . -- - ( , ). -- ( , ). -- . ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : 3894 . . , , : - 10%, - 20%. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ : (495) 223 7029,, 941-9165 From owner-trustedbsd-discuss@FreeBSD.ORG Sat Sep 23 09:26:19 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9F5E16A415; Sat, 23 Sep 2006 09:26:19 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5A8443D5C; Sat, 23 Sep 2006 09:26:17 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 45A8446DA8; Sat, 23 Sep 2006 05:26:17 -0400 (EDT) Date: Sat, 23 Sep 2006 10:26:17 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Max Laier In-Reply-To: <200609140253.06818.max@love2party.net> Message-ID: <20060923102438.N6562@fledge.watson.org> References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 09:26:19 -0000 On Thu, 14 Sep 2006, Max Laier wrote: > Right now, prison_priv_check() is looking rather scary to me. If something > else wants to decide on finer granularity, alright, but in my opinion it's > easier (more obvious) to keep the "normal" information in the .h file where > the privileges are defined and described - as we are aiming for > centralization of the decision and information. On top of that the caller > could mask off ALLOW_IN_JAIL if they think it's not appropriate in a special > use case of the privilege. The attached version of the kern_jail.c diff removes all the extra commented out privileges that aren't granted, and were largely there as development scaffolding to make sure I considered all privileges. Does this seem a bit less scary? Robert N M Watson Computer Laboratory University of Cambridge --- //depot/projects/trustedbsd/base/sys/kern/kern_jail.c 2006/09/18 08:37:28 +++ //depot/projects/trustedbsd/priv/sys/kern/kern_jail.c 2006/09/19 08:03:32 @@ -8,7 +8,7 @@ */ #include -__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.52 2006/09/17 20:00:35 rwatson Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.51 2005/09/28 00:30:56 csjp Exp $"); #include "opt_mac.h" @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -204,7 +205,7 @@ * a process root from one prison, but attached to the jail * of another. */ - error = suser(td); + error = priv_check(td, PRIV_JAIL_ATTACH); if (error) return (error); @@ -522,6 +523,172 @@ } } +/* + * Check with permission for a specific privilege is granted within jail. We + * have a specific list of accepted privileges; the rest are denied. + */ +int +prison_priv_check(struct ucred *cred, enum priv priv) +{ + + if (!(jailed(cred))) + return (0); + + switch (priv) { + + /* + * Allow ktrace privileges for root in jail. + */ + case PRIV_KTRACE: + + /* + * Allow jailed processes to configure audit identity and + * submit audit records (login, etc). In the future we may + * want to further refine the relationship between audit and + * jail. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + + /* + * Allow jailed processes to manipulate process UNIX + * credentials in any way they see fit. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Jail implements visibility constraints already, so allow + * jailed root to override uid/gid-based constraints. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + + /* + * Jail implements inter-process debugging limits already, so + * allow jailed root various debugging privileges. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow jail to set various resource limits and login + * properties, and for now, exceed process resource limits. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * The following privileges should be granted to jail once + * implemented. + */ + /* case PRIV_IPC_READ: */ + /* case PRIV_IPC_WRITE: */ + /* case PRIV_IPC_EXEC: */ + /* case PRIV_IPC_ADMIN: */ + /* case PRIV_IPC_MSGSIZE: */ + /* case PRIV_MQ_ADMIN: */ + + /* + * Jail implements its own inter-process limits, so allow + * root processes in jail to change scheduling on other + * processes in the same jail. Likewise for signalling. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow jailed processes to write to sysctls marked as jail + * writable. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow root in jail to manage a variety of quota + * properties. Some are a bit surprising and should be + * reconsidered. + */ + case PRIV_UFS_GETQUOTA: + case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_SETQUOTA: + case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ + + /* + * Since Jail relies on chroot() to implement file system + * protections, grant many VFS privileges to root in jail. + * Be careful to exclude mount-related and NFS-related + * privileges. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_CLEARSUGID: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_LINK: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + return (0); + + /* + * Depending on the global setting, allow privilege of + * setting system flags. + */ + case PRIV_VFS_SYSFLAGS: + if (jail_chflags_allowed) + return (0); + else + return (EPERM); + + /* + * Allow jailed root to bind reserved ports. + */ + case PRIV_NETINET_RESERVEDPORT: + return (0); + + /* + * Conditionally allow creating raw sockets in jail. + */ + case PRIV_NETINET_RAW: + if (jail_allow_raw_sockets) + return (0); + else + return (EPERM); + + /* + * Since jail implements its own visibility limits on netstat + * sysctls, allow getcred. This allows identd to work in + * jail. + */ + case PRIV_NETINET_GETCRED: + return (0); + + default: + /* + * In all remaining cases, deny the privilege request. This + * includes almost all network privileges, many system + * configuration privileges. + */ + return (EPERM); + } +} + static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) { From owner-trustedbsd-discuss@FreeBSD.ORG Sun Sep 24 03:02:20 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EB0E16A407 for ; Sun, 24 Sep 2006 03:02:20 +0000 (UTC) (envelope-from csjp@FreeBSD.org) Received: from ems01.seccuris.com (ems01.seccuris.com [204.112.0.35]) by mx1.FreeBSD.org (Postfix) with SMTP id CDC0B43D53 for ; Sun, 24 Sep 2006 03:02:19 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: (qmail 2116 invoked by uid 86); 24 Sep 2006 03:41:59 -0000 Received: from unknown (HELO ?127.0.0.1?) (204.112.0.40) by ems01.seccuris.com with SMTP; 24 Sep 2006 03:41:59 -0000 Message-ID: <4515F53A.7020300@FreeBSD.org> Date: Sat, 23 Sep 2006 22:02:18 -0500 From: "Christian S.J. Peron" User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: trustedbsd-discuss@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Robert Watson Subject: auditreduce: Solaris compat -ofile= option X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Sep 2006 03:02:20 -0000 All, I have modified our (OpenBSM's) version of auditreduce to be functionally equivalent (I hope) to the Solaris auditreduce with regard to processing pathnames. Here is the patch: http://people.freebsd.org/~csjp/auditreduce.c.1159024099.diff The change basically entails adding support for regular expressions (comma delimited regexps) with the option to exclude things from searches. I also added support to allow the search patterns to have commas in them (by escaping them). Anyway, feedback/review would be great! I would love to get this submitted in time for the FreeBSD 6.2 release cycle. -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer FreeBSD Security Team From owner-trustedbsd-discuss@FreeBSD.ORG Mon Sep 25 23:45:32 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C319916A494 for ; Mon, 25 Sep 2006 23:45:32 +0000 (UTC) (envelope-from max@love2party.net) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F4D843D6A for ; Mon, 25 Sep 2006 23:45:32 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by cyrus.watson.org (Postfix) with ESMTP id 75F4B46D2E for ; Mon, 25 Sep 2006 19:44:58 -0400 (EDT) Received: from [88.66.16.234] (helo=amd64.laiers.local) by mrelayeu.kundenserver.de (node=mrelayeu4) with ESMTP (Nemesis), id 0ML21M-1GS0842HZb-0002qo; Tue, 26 Sep 2006 01:44:53 +0200 From: Max Laier Organization: FreeBSD To: Robert Watson Date: Tue, 26 Sep 2006 01:44:45 +0200 User-Agent: KMail/1.9.4 References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net> <20060923102438.N6562@fledge.watson.org> In-Reply-To: <20060923102438.N6562@fledge.watson.org> X-Face: ,,8R(x[kmU]tKN@>gtH1yQE4aslGdu+2]; R]*pL,U>^H?)gW@49@wdJ`H<=?utf-8?q?=25=7D*=5FBD=0A=09U=5For=3D=5CmOZf764=26nYj=3DJYbR1PW0ud?=>|!~,,CPC.1-D$FG@0h3#'5"k{V]a~.<=?utf-8?q?mZ=7D44=23Se=7Em=0A=09Fe=7E=5C=5DX5B=5D=5Fxj?=(ykz9QKMw_l0C2AQ]}Ym8)fU MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1239404.VOxjc7JlCO"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200609260144.51691.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 23:45:32 -0000 --nextPart1239404.VOxjc7JlCO Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 23 September 2006 11:26, Robert Watson wrote: > On Thu, 14 Sep 2006, Max Laier wrote: > > Right now, prison_priv_check() is looking rather scary to me. If > > something else wants to decide on finer granularity, alright, but in > > my opinion it's easier (more obvious) to keep the "normal" > > information in the .h file where the privileges are defined and > > described - as we are aiming for centralization of the decision and > > information. On top of that the caller could mask off ALLOW_IN_JAIL > > if they think it's not appropriate in a special use case of the > > privilege. > > The attached version of the kern_jail.c diff removes all the extra > commented out privileges that aren't granted, and were largely there as > development scaffolding to make sure I considered all privileges. Does > this seem a bit less scary? Yes. The argument about modules getting out of sync already had me=20 convinced that encoding things in the value isn't the best idea. The=20 cleaned up version of kern_jail.c now really gives a good example what we=20 gain by this centralization. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1239404.VOxjc7JlCO Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFGGnzXyyEoT62BG0RAqtDAJ9W0GAbj3dgaRx5EEMtGkw886TGEgCcDBxr xSNh283nrR873Ezy0nc4hqU= =4msj -----END PGP SIGNATURE----- --nextPart1239404.VOxjc7JlCO-- From owner-trustedbsd-discuss@FreeBSD.ORG Tue Oct 31 11:01:33 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FFA116A415 for ; Tue, 31 Oct 2006 11:01:33 +0000 (UTC) (envelope-from robert@fledge.watson.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FA6B43D79 for ; Tue, 31 Oct 2006 11:01:30 +0000 (GMT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 0C7DB46C36 for ; Tue, 31 Oct 2006 06:01:30 -0500 (EST) Date: Tue, 31 Oct 2006 09:43:45 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: arch@FreeBSD.org Message-ID: <20061031092122.D96078@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed ReSent-Date: Tue, 31 Oct 2006 11:01:22 +0000 (GMT) ReSent-From: robert ReSent-To: trustedbsd-discuss@TrustedBSD.org ReSent-Subject: New in-kernel privilege API: priv(9) ReSent-Message-ID: <20061031110122.X87421@fledge.watson.org> X-Mailman-Approved-At: Tue, 31 Oct 2006 13:23:50 +0000 Cc: Subject: New in-kernel privilege API: priv(9) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 11:01:33 -0000 Dear all, A month and a half ago, I posted a patch implementing a priv(9) API. I've now updated this patch to reflect a more thorough review of kernel privilege, corrected some of the nits, etc. I would like to move ahead with committing priv(9), so this is a final request for review (or serious objections) before I do so in a few days. The commit will occur in two phases: (1) Commit of the base portions of the patch: Modified Files: sys/kern/kern_jail.c sys/kern/kern_prot.c sys/security/mac/mac_framework.h sys/security/mac/mac_internal.h sys/sys/jail.h sys/sys/systm.h sys/conf/files share/man/man9/Makefile share/man/man9/suser.9 Added Files: sys/kern/kern_priv.c sys/security/mac/mac_priv.c sys/sys/priv.h share/man/man9/priv.9 Commit message for this attached below. (2) Sweep of the remaining kernel files, cleaning up privilege checks, replacing suser()/suser_cred() calls, etc, across the kernel. Among other things, I'd like to be able to add some additional names to the "Reviewed by:" list. :-) This is, of course, a set of highly sensitive security-related changes, and having detailed reviews is very important. The primary changes from the previous patch to this one are: - Significant cleanup of the kern_jail.c code. It's now simply a list of privileges granted in jail, with justifications. - A number of tweaks and fixes to privilege use across the kernel. A moderate number of the XXX's added in the previous patch are now fixed. Not all though. - The privilege list has changed from an enum to an int with #define's. This has several benefits -- one is that there's no longer a concern about the C limit of not being able to forward declare enumerated types. Also, since the numeric assignment of privilege identifiers is part of the kernel ABI for modules, I've moved to explicitly assigning privilege numbers, and have left gaps for subsystem growth, etc. A few XXX's still exist that will require some further attention, likely after merging the patch. Pawel and I are also discussing whether there are some UFS privileges that should become general VFS privileges such as quota bypass privileges). Another concern is that there are one or two places where privileges are inconsistently granted inside and outside of jail, and we will want to either subdivide the privilege or move to a more consistent approach. For this reason, the KASSERT() after prison_priv_check() in priv_check() concerning the consistency of SUSER_ALLOWJAIL and the internal logic is temporarily disabled. Once we've decided that all looks good with regard to jail, I can sweep the kernel removing the SUSER_ALLOWJAIL arguments, and complete the migration of jail configuration frobs to kern_jail.c from their current scattered locations across the kernel. Thanks, Robert N M Watson Computer Laboratory University of Cambridge > Add a new priv(9) kernel interface for checking the availability of > privilege for threads and credentials. Unlike the existing suser(9) > interface, priv(9) exposes a named privilege identifier to the privilege > checking code, allowing more complex policies regarding the granting of > privilege to be expressed. Two interfaces are provided, replacing the > existing suser(9) interface: > > suser(td) -> priv_check(td, priv) > suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) > > A comprehensive list of currently available kernel privileges may be > found in priv.h. New privileges are easily added as required, but the > comments on adding privileges found in priv.h and priv(9) should be read > before doing so. > > The new privilege interface exposed sufficient information to the > privilege checking routine that it will now be possible for jail to > determine whether a particular privilege is granted in the check routine, > rather than relying on hints from the calling context via the > SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail > check function, prison_priv_check(), is exposed from kern_jail.c and used > by the privilege check routine to determine if the privilege is permitted > in jail. As a result, a centralized list of privileges permitted in jail > is now present in kern_jail.c. > > The MAC Framework is now also able to instrument privilege checks, both > to deny privileges otherwise granted (mac_priv_check()), and to grant > privileges otherwise denied (mac_priv_grant()), permitting MAC Policy > modules to implement privilege models, as well as control a much broader > range of system behavior in order to constrain processes running with > root privilege. > > The suser() and suser_cred() functions remain implemented, now in terms > of priv_check() and the PRIV_ROOT privilege, for use during the transition > and possibly continuing use by third party kernel modules that have not > been updated. The PRIV_DRIVER privilege exists to allow device drivers to > check privilege without adopting a more specific privilege identifier. > > This change does not modify the actual security policy, rather, it > modifies the interface for privilege checks so changes to the security > policy become more feasible. > > Sponsored by: nCircle Network Security, Inc. > Discussed on: arch@ > Reviewed (at least in part) by: mlaier, jmg Index: share/man/man9/Makefile =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/share/man/man9/Makefile,v retrieving revision 1.282 diff -u -r1.282 Makefile --- share/man/man9/Makefile 5 Oct 2006 12:40:44 -0000 1.282 +++ share/man/man9/Makefile 31 Oct 2006 09:06:00 -0000 @@ -188,6 +188,7 @@ pmap_zero_page.9 \ printf.9 \ prison_check.9 \ + priv.9 \ pseudofs.9 \ psignal.9 \ random.9 \ Index: share/man/man9/priv.9 =================================================================== RCS file: share/man/man9/priv.9 diff -N share/man/man9/priv.9 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ share/man/man9/priv.9 31 Oct 2006 09:03:48 -0000 @@ -0,0 +1,115 @@ +.\"- +.\" Copyright (c) 2006 nCircle Network Security, Inc. +.\" All rights reserved. +.\" +.\" This software was developed by Robert N. M. Watson for the TrustedBSD +.\" Project under contract to nCircle Network Security, Inc. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, +.\" INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED +.\" TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +.\" PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +.\" LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +.\" NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +.\" SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd August 30, 2007 +.Dt priv 9 +.Os +.Sh NAME +.Nm priv +.Nd kernel privilege checking API +.Sh SYNOPSIS +.In sys/priv.h +.Ft int +.Fn priv_check "struct thread *td" "int priv" +.Ft int +.Fn priv_check_cred "struct ucred *cred" "int priv" "int flags" +.Sh DESCRIPTION +The +.Xr priv 9 +interfaces check to see if specific system privileges are granted to the +passed thread, +.Va td , +or credential, +.Va cred. +This interface replaces the +.Xr suser 9 +privilege checking interface. +Privileges typically represent rights in one of two categories: the right to +manage a particular component of the system, or an exemption to a specific +policy or access control list. +The caller identifies the desired privilege via the +.Fa priv +argument. +Additional access control context may also be passed using the +.Va flags . +.Ss Privilege Policies +Privileges are typically granted based on one of two base system policies: +the superuser policy, which grants privilege based on the effective (or +sometimes real) uid having a value of 0, and the +.Xr jail 2 +policy, which permits only certain privileges to be granted to processes in a +jail. +The set of available privileges may also be influenced by the TrustedBSD MAC +Framework, described in +.Xr mac 9 . +.Sh IMPLEMENTATION NOTES +When adding a new privilege check to a code path, first check the complete +list of current privileges in +.Pa sys/priv.h +to see if one already exists for the class of privilege required. +Only if there is not an exact match should a new privilege be added to the +privilege list. +As the privilege number becomes encoded in the kernel module ABI, privileges +should only be appended to the list, not inserted in the list, and the list +sort order should not be changed. +.Pp +Certain catch-all privileges exist, such as +.Dv PRIV_DRIVER , +intended to be used by device drivers, rather than adding a new +driver-specific privilege. +.Sh RETURN VALUES +Typically, 0 will be returned for success, and +.Dv EPERM +will be returned on failure. +Most consumers of +.Xr priv 9 +will wish to directly return the error code from a failed privilege check to +user space; a small number will wish to translate it to another error code +appropriate to a specific context. +.Pp +When designing new APIs, it is preferable to return explicit errors from a +call if privilege is not granted rather than changing the semantics of the +call but returning success. +For example, the behavior exhibited by +.Xr stat 2 , +in which the generation field is optionally zero'd out when insufficient +privilege is not present is highly undesirable, as it results in frequent +privilege checks, and the caller is unable to tell if an access control +failure occured. +.Sh SEE ALSO +.Xr jail 2 , +.Xr mac 9 , +.Xr suser 9 , +.Xr ucred 9 +.Sh AUTHORS +The +.Xr priv 9 +API and implementation were created by Robert Watson under contract to +nCircle Network Security, Inc. Index: share/man/man9/suser.9 =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/share/man/man9/suser.9,v retrieving revision 1.29 diff -u -r1.29 suser.9 --- share/man/man9/suser.9 16 May 2006 22:58:43 -0000 1.29 +++ share/man/man9/suser.9 31 Oct 2006 09:05:47 -0000 @@ -54,6 +54,12 @@ .Fn suser_cred functions check if the credentials given include superuser powers. .Pp +These interfaces have now been obsoleted by +.Xr priv 9 , +and are provided only for compatibility with third party kernel modules that +have not yet been updated to the new interface. +They should not be used in any new kernel code. +.Pp The .Fn suser function is the most common, and should be used unless special @@ -123,7 +129,8 @@ in which a TRUE response indicates superuser powers. .Sh SEE ALSO .Xr chroot 2 , -.Xr jail 2 +.Xr jail 2 , +.Xr priv 9 .Sh BUGS The .Fn suser Index: sys/amd64/amd64/io.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/amd64/amd64/io.c,v retrieving revision 1.1 diff -u -r1.1 io.c --- sys/amd64/amd64/io.c 1 Aug 2004 11:40:50 -0000 1.1 +++ sys/amd64/amd64/io.c 30 Oct 2006 17:07:54 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -54,7 +55,7 @@ { int error; - error = suser(td); + error = priv_check(td, PRIV_IO); if (error != 0) return (error); error = securelevel_gt(td->td_ucred, 0); Index: sys/compat/linux/linux_misc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/linux/linux_misc.c,v retrieving revision 1.191 diff -u -r1.191 linux_misc.c --- sys/compat/linux/linux_misc.c 28 Oct 2006 16:47:38 -0000 1.191 +++ sys/compat/linux/linux_misc.c 30 Oct 2006 17:07:54 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -1020,7 +1021,8 @@ * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, + SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); @@ -1341,7 +1343,7 @@ switch (args->cmd) { case REBOOT_CAD_ON: case REBOOT_CAD_OFF: - return suser(td); + return (priv_check(td, PRIV_REBOOT)); case REBOOT_HALT: bsd_args.opt = RB_HALT; break; Index: sys/compat/linux/linux_uid16.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/linux/linux_uid16.c,v retrieving revision 1.19 diff -u -r1.19 linux_uid16.c --- sys/compat/linux/linux_uid16.c 19 Mar 2006 11:10:33 -0000 1.19 +++ sys/compat/linux/linux_uid16.c 30 Oct 2006 17:07:54 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -123,7 +124,8 @@ * Keep cr_groups[0] unchanged to prevent that. */ - if ((error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { + if ((error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, + SUSER_ALLOWJAIL)) != 0) { PROC_UNLOCK(p); crfree(newcred); return (error); Index: sys/compat/svr4/svr4_fcntl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/svr4/svr4_fcntl.c,v retrieving revision 1.38 diff -u -r1.38 svr4_fcntl.c --- sys/compat/svr4/svr4_fcntl.c 22 Oct 2006 11:52:11 -0000 1.38 +++ sys/compat/svr4/svr4_fcntl.c 30 Oct 2006 17:07:54 -0000 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -280,7 +281,8 @@ goto out; if (td->td_ucred->cr_uid != vattr.va_uid && - (error = suser(td)) != 0) + (error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL)) != 0) goto out; if ((error = vn_start_write(vp, &mp, V_WAIT | PCATCH)) != 0) Index: sys/compat/svr4/svr4_misc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/compat/svr4/svr4_misc.c,v retrieving revision 1.90 diff -u -r1.90 svr4_misc.c --- sys/compat/svr4/svr4_misc.c 22 Oct 2006 11:52:11 -0000 1.90 +++ sys/compat/svr4/svr4_misc.c 30 Oct 2006 17:07:54 -0000 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -611,7 +612,8 @@ struct file *fp; int error, vfslocked; - if ((error = suser(td)) != 0) + if ((error = priv_check_cred(td->td_ucred, PRIV_VFS_FCHROOT, + SUSER_ALLOWJAIL)) != 0) return error; if ((error = getvnode(fdp, uap->fd, &fp)) != 0) return error; Index: sys/conf/files =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/conf/files,v retrieving revision 1.1156 diff -u -r1.1156 files --- sys/conf/files 30 Oct 2006 05:51:53 -0000 1.1156 +++ sys/conf/files 30 Oct 2006 21:24:56 -0000 @@ -1347,6 +1347,7 @@ kern/kern_physio.c standard kern/kern_pmc.c standard kern/kern_poll.c optional device_polling +kern/kern_priv.c standard kern/kern_proc.c standard kern/kern_prot.c standard kern/kern_resource.c standard @@ -1920,6 +1921,7 @@ security/mac/mac_net.c optional mac security/mac/mac_pipe.c optional mac security/mac/mac_posix_sem.c optional mac +security/mac/mac_priv.c optional mac security/mac/mac_process.c optional mac security/mac/mac_socket.c optional mac security/mac/mac_system.c optional mac Index: sys/contrib/altq/altq/altq_cbq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_cbq.c,v retrieving revision 1.3 diff -u -r1.3 altq_cbq.c --- sys/contrib/altq/altq/altq_cbq.c 9 Aug 2005 10:19:41 -0000 1.3 +++ sys/contrib/altq/altq/altq_cbq.c 30 Oct 2006 17:07:54 -0000 @@ -1062,7 +1062,9 @@ /* currently only command that an ordinary user can call */ break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_version > 700000) + error = priv_check(p, PRIV_ALTQ_MANAGE); +#elsif (__FreeBSD_version > 400000) error = suser(p); #else error = suser(p->p_ucred, &p->p_acflag); Index: sys/contrib/altq/altq/altq_cdnr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_cdnr.c,v retrieving revision 1.2 diff -u -r1.2 altq_cdnr.c --- sys/contrib/altq/altq/altq_cdnr.c 12 Jun 2004 00:57:20 -0000 1.2 +++ sys/contrib/altq/altq/altq_cdnr.c 30 Oct 2006 17:07:54 -0000 @@ -1262,7 +1262,9 @@ case CDNR_GETSTATS: break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_versoin > 700000) + if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) +#elsif (__FreeBSD_version > 400000) if ((error = suser(p)) != 0) #else if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) Index: sys/contrib/altq/altq/altq_hfsc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_hfsc.c,v retrieving revision 1.2 diff -u -r1.2 altq_hfsc.c --- sys/contrib/altq/altq/altq_hfsc.c 12 Jun 2004 00:57:20 -0000 1.2 +++ sys/contrib/altq/altq/altq_hfsc.c 30 Oct 2006 17:07:54 -0000 @@ -1975,7 +1975,10 @@ case HFSC_GETSTATS: break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_version > 700000) + if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) + return (error); +#elsif (__FreeBSD_version > 400000) if ((error = suser(p)) != 0) return (error); #else Index: sys/contrib/altq/altq/altq_priq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_priq.c,v retrieving revision 1.2 diff -u -r1.2 altq_priq.c --- sys/contrib/altq/altq/altq_priq.c 12 Jun 2004 00:57:20 -0000 1.2 +++ sys/contrib/altq/altq/altq_priq.c 30 Oct 2006 17:07:54 -0000 @@ -772,7 +772,10 @@ case PRIQ_GETSTATS: break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_version > 700000) + if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) + return (error); +#elsif (__FreeBSD_version > 400000) if ((error = suser(p)) != 0) return (error); #else Index: sys/contrib/altq/altq/altq_red.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_red.c,v retrieving revision 1.2 diff -u -r1.2 altq_red.c --- sys/contrib/altq/altq/altq_red.c 12 Jun 2004 00:57:20 -0000 1.2 +++ sys/contrib/altq/altq/altq_red.c 30 Oct 2006 17:07:54 -0000 @@ -781,7 +781,9 @@ case RED_GETSTATS: break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_version > 700000) + if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) +#elsif (__FreeBSD_version > 400000) if ((error = suser(p)) != 0) #else if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) Index: sys/contrib/altq/altq/altq_rio.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/altq/altq/altq_rio.c,v retrieving revision 1.3 diff -u -r1.3 altq_rio.c --- sys/contrib/altq/altq/altq_rio.c 10 Jun 2005 16:49:03 -0000 1.3 +++ sys/contrib/altq/altq/altq_rio.c 30 Oct 2006 17:07:54 -0000 @@ -531,7 +531,10 @@ case RIO_GETSTATS: break; default: -#if (__FreeBSD_version > 400000) +#if (__FreeBSD_versoin > 700000) + if ((error = priv_check(p, PRIV_ALTQ_MANAGE)) != 0) + return (error); +#elsif (__FreeBSD_version > 400000) if ((error = suser(p)) != 0) return (error); #else Index: sys/contrib/pf/net/if_pfsync.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/contrib/pf/net/if_pfsync.c,v retrieving revision 1.30 diff -u -r1.30 if_pfsync.c --- sys/contrib/pf/net/if_pfsync.c 9 Jul 2006 06:04:01 -0000 1.30 +++ sys/contrib/pf/net/if_pfsync.c 30 Oct 2006 17:07:54 -0000 @@ -54,6 +54,9 @@ #endif #include +#ifdef __FreeBSD__ +#include +#endif #include #include #include @@ -1057,7 +1060,7 @@ break; case SIOCSETPFSYNC: #ifdef __FreeBSD__ - if ((error = suser(curthread)) != 0) + if ((error = priv_check(curthread, PRIV_NETINET_PF)) != 0) #else if ((error = suser(p, p->p_acflag)) != 0) #endif Index: sys/dev/an/if_an.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/an/if_an.c,v retrieving revision 1.79 diff -u -r1.79 if_an.c --- sys/dev/an/if_an.c 16 May 2006 14:36:22 -0000 1.79 +++ sys/dev/an/if_an.c 30 Oct 2006 17:07:54 -0000 @@ -92,6 +92,7 @@ #include #include #include +#include #include #include #include @@ -1920,7 +1921,7 @@ break; #ifdef ANCACHE if (sc->areq.an_type == AN_RID_ZERO_CACHE) { - error = suser(td); + error = priv_check(td, PRIV_DRIVER); if (error) break; sc->an_sigitems = sc->an_nextitem = 0; @@ -1944,7 +1945,7 @@ error = copyout(&sc->areq, ifr->ifr_data, sizeof(sc->areq)); break; case SIOCSAIRONET: - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) goto out; error = copyin(ifr->ifr_data, &sc->areq, sizeof(sc->areq)); if (error != 0) @@ -1952,7 +1953,7 @@ an_setdef(sc, &sc->areq); break; case SIOCGPRIVATE_0: /* used by Cisco client utility */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) goto out; error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl)); if (error) @@ -1974,7 +1975,7 @@ } break; case SIOCGPRIVATE_1: /* used by Cisco client utility */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) goto out; error = copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl)); if (error) @@ -2226,7 +2227,7 @@ } break; case SIOCS80211: - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_NET80211_MANAGE))) goto out; sc->areq.an_len = sizeof(sc->areq); /* Index: sys/dev/arl/if_arl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/arl/if_arl.c,v retrieving revision 1.13 diff -u -r1.13 if_arl.c --- sys/dev/arl/if_arl.c 16 May 2006 14:36:23 -0000 1.13 +++ sys/dev/arl/if_arl.c 30 Oct 2006 17:07:54 -0000 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include @@ -504,7 +505,7 @@ break; case SIOCS80211: - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_NET80211_MANAGE))) break; switch (ireq->i_type) { case IEEE80211_IOC_SSID: @@ -577,7 +578,7 @@ } case SIOCGARLALL: bzero(&arlan_io, sizeof(arlan_io)); - if (!suser(td)) { + if (!priv_check(td, PRIV_DRIVER)) { bcopy(ar->systemId, arlan_io.cfg.sid, 4); } @@ -616,7 +617,7 @@ } while (0) case SIOCSARLALL: - if (suser(td)) + if (priv_check(td, PRIV_DRIVER)) break; user = (void *)ifr->ifr_data; Index: sys/dev/asr/asr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/asr/asr.c,v retrieving revision 1.79 diff -u -r1.79 asr.c --- sys/dev/asr/asr.c 31 Oct 2006 05:53:26 -0000 1.79 +++ sys/dev/asr/asr.c 31 Oct 2006 08:40:40 -0000 @@ -117,6 +117,7 @@ #include #include #include +#include #include #include #include @@ -3145,7 +3146,7 @@ s = splcam (); if (ASR_ctlr_held) { error = EBUSY; - } else if ((error = suser(td)) == 0) { + } else if ((error = priv_check(td, PRIV_DRIVER)) == 0) { ++ASR_ctlr_held; } splx(s); Index: sys/dev/ata/atapi-cd.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ata/atapi-cd.c,v retrieving revision 1.189 diff -u -r1.189 atapi-cd.c --- sys/dev/ata/atapi-cd.c 28 Jun 2006 15:04:10 -0000 1.189 +++ sys/dev/ata/atapi-cd.c 30 Oct 2006 17:07:54 -0000 @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -257,8 +258,11 @@ cdp->flags |= F_LOCKED; break; + /* + * XXXRW: Why does this require privilege? + */ case CDIOCRESET: - error = suser(td); + error = priv_check(td, PRIV_DRIVER); if (error) break; error = acd_test_ready(dev); Index: sys/dev/ce/if_ce.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ce/if_ce.c,v retrieving revision 1.3 diff -u -r1.3 if_ce.c --- sys/dev/ce/if_ce.c 3 Feb 2006 20:55:30 -0000 1.3 +++ sys/dev/ce/if_ce.c 30 Oct 2006 17:07:54 -0000 @@ -29,6 +29,7 @@ #if NPCI > 0 #include +#include #include #include #include @@ -1341,9 +1342,11 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else /* __FreeBSD_version >= 500000 */ +#elsif __FreeBSD_version < 700000 error = suser (td); -#endif /* __FreeBSD_version >= 500000 */ +#else + error = priv_check (td, PRIV_DRIVER); +#endif if (error) return error; #if __FreeBSD_version >= 600034 @@ -1380,8 +1383,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1408,8 +1413,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1426,8 +1433,10 @@ CE_DEBUG2 (d, ("ioctl: setcfg\n")); #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1526,8 +1535,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1560,8 +1571,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1586,8 +1599,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1608,8 +1623,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1634,8 +1651,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1658,8 +1677,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1686,8 +1707,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1708,8 +1731,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1734,8 +1759,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1758,8 +1785,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1784,8 +1813,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1810,8 +1841,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1836,8 +1869,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1867,8 +1902,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1892,8 +1929,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1909,8 +1948,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; @@ -1945,8 +1986,10 @@ /* Only for superuser! */ #if __FreeBSD_version < 500000 error = suser (p); -#else +#elsif __FreeBSD_version < 700000 error = suser (td); +#else + error = priv_check (td, PRIV_DRIVER); #endif if (error) return error; Index: sys/dev/cnw/if_cnw.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cnw/if_cnw.c,v retrieving revision 1.23 diff -u -r1.23 if_cnw.c --- sys/dev/cnw/if_cnw.c 16 May 2006 14:36:23 -0000 1.23 +++ sys/dev/cnw/if_cnw.c 30 Oct 2006 17:07:54 -0000 @@ -236,6 +236,7 @@ #include #include #include +#include #include #include #include @@ -1339,7 +1340,7 @@ #if !defined(__FreeBSD__) error = suser(p->p_ucred, &p->p_acflag); #else - error = suser(td); + error = priv_check(td, PRIV_DRIVER); #endif if (error) break; @@ -1350,7 +1351,7 @@ #if !defined(__FreeBSD__) error = suser(p->p_ucred, &p->p_acflag); #else - error = suser(td); + error = priv_check(td, PRIV_DRIVER); #endif if (error) break; @@ -1361,7 +1362,7 @@ #if !defined(__FreeBSD__) error = suser(p->p_ucred, &p->p_acflag); #else - error = suser(td); + error = priv_check(td, PRIV_DRIVER); #endif if (error) break; Index: sys/dev/cp/if_cp.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cp/if_cp.c,v retrieving revision 1.29 diff -u -r1.29 if_cp.c --- sys/dev/cp/if_cp.c 27 Sep 2005 16:57:44 -0000 1.29 +++ sys/dev/cp/if_cp.c 30 Oct 2006 17:07:54 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -1071,7 +1072,7 @@ case SERIAL_SETPROTO: CP_DEBUG2 (d, ("ioctl: setproto\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (d->ifp->if_drv_flags & IFF_DRV_RUNNING) @@ -1102,7 +1103,7 @@ case SERIAL_SETKEEPALIVE: CP_DEBUG2 (d, ("ioctl: setkeepalive\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if ((IFP2SP(d->ifp)->pp_flags & PP_FR) || @@ -1126,7 +1127,7 @@ case SERIAL_SETMODE: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (*(int*)data != SERIAL_HDLC) @@ -1142,7 +1143,7 @@ case SERIAL_SETCFG: CP_DEBUG2 (d, ("ioctl: setcfg\n")); - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1239,7 +1240,7 @@ case SERIAL_CLRSTAT: CP_DEBUG2 (d, ("ioctl: clrstat\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; c->rintr = 0; @@ -1268,7 +1269,7 @@ case SERIAL_SETBAUD: CP_DEBUG2 (d, ("ioctl: setbaud\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1286,7 +1287,7 @@ case SERIAL_SETLOOP: CP_DEBUG2 (d, ("ioctl: setloop\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1306,7 +1307,7 @@ case SERIAL_SETDPLL: CP_DEBUG2 (d, ("ioctl: setdpll\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_SERIAL) @@ -1328,7 +1329,7 @@ case SERIAL_SETNRZI: CP_DEBUG2 (d, ("ioctl: setnrzi\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_SERIAL) @@ -1348,7 +1349,7 @@ case SERIAL_SETDEBUG: CP_DEBUG2 (d, ("ioctl: setdebug\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; d->chan->debug = *(int*)data; @@ -1370,7 +1371,7 @@ case SERIAL_SETHIGAIN: CP_DEBUG2 (d, ("ioctl: sethigain\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1392,7 +1393,7 @@ case SERIAL_SETPHONY: CP_DEBUG2 (d, ("ioctl: setphony\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1414,7 +1415,7 @@ case SERIAL_SETUNFRAM: CP_DEBUG2 (d, ("ioctl: setunfram\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1436,7 +1437,7 @@ case SERIAL_SETSCRAMBLER: CP_DEBUG2 (d, ("ioctl: setscrambler\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_G703 && !c->unfram) @@ -1461,7 +1462,7 @@ case SERIAL_SETMONITOR: CP_DEBUG2 (d, ("ioctl: setmonitor\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1483,7 +1484,7 @@ case SERIAL_SETUSE16: CP_DEBUG2 (d, ("ioctl: setuse16\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1505,7 +1506,7 @@ case SERIAL_SETCRC4: CP_DEBUG2 (d, ("ioctl: setcrc4\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1) @@ -1538,7 +1539,7 @@ case SERIAL_SETCLK: CP_DEBUG2 (d, ("ioctl: setclk\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_E1 && @@ -1571,7 +1572,7 @@ case SERIAL_SETTIMESLOTS: CP_DEBUG2 (d, ("ioctl: settimeslots\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if ((c->type != T_E1 || c->unfram) && c->type != T_DATA) @@ -1597,7 +1598,7 @@ case SERIAL_SETINVCLK: CP_DEBUG2 (d, ("ioctl: setinvclk\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_SERIAL) @@ -1620,7 +1621,7 @@ case SERIAL_SETINVTCLK: CP_DEBUG2 (d, ("ioctl: setinvtclk\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_SERIAL) @@ -1642,7 +1643,7 @@ case SERIAL_SETINVRCLK: CP_DEBUG2 (d, ("ioctl: setinvrclk\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->type != T_SERIAL) @@ -1669,7 +1670,7 @@ case SERIAL_RESET: CP_DEBUG2 (d, ("ioctl: reset\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1682,7 +1683,7 @@ case SERIAL_HARDRESET: CP_DEBUG2 (d, ("ioctl: hardreset\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1714,7 +1715,7 @@ case SERIAL_SETDIR: CP_DEBUG2 (d, ("ioctl: setdir\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1739,7 +1740,7 @@ if (c->type != T_E3 && c->type != T_T3 && c->type != T_STS1) return EINVAL; /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1761,7 +1762,7 @@ if (c->type != T_T3 && c->type != T_STS1) return EINVAL; /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); Index: sys/dev/ctau/if_ct.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ctau/if_ct.c,v retrieving revision 1.29 diff -u -r1.29 if_ct.c --- sys/dev/ctau/if_ct.c 16 May 2006 14:36:24 -0000 1.29 +++ sys/dev/ctau/if_ct.c 30 Oct 2006 17:07:54 -0000 @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -1300,7 +1301,7 @@ case SERIAL_SETPROTO: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (d->ifp->if_drv_flags & IFF_DRV_RUNNING) @@ -1328,7 +1329,7 @@ case SERIAL_SETKEEPALIVE: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if ((IFP2SP(d->ifp)->pp_flags & PP_FR) || @@ -1357,7 +1358,7 @@ case SERIAL_SETCFG: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_HDLC) @@ -1435,7 +1436,7 @@ case SERIAL_CLRSTAT: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; c->rintr = 0; @@ -1458,7 +1459,7 @@ case SERIAL_SETBAUD: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1474,7 +1475,7 @@ case SERIAL_SETLOOP: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1492,7 +1493,7 @@ case SERIAL_SETDPLL: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_E1 || c->mode == M_G703) @@ -1512,7 +1513,7 @@ case SERIAL_SETNRZI: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_E1 || c->mode == M_G703) @@ -1530,7 +1531,7 @@ case SERIAL_SETDEBUG: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; c->debug = *(int*)data; @@ -1550,7 +1551,7 @@ case SERIAL_SETHIGAIN: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1572,7 +1573,7 @@ if (c->mode != M_E1) return EINVAL; /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1595,7 +1596,7 @@ case SERIAL_SETCLK: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1619,7 +1620,7 @@ case SERIAL_SETTIMESLOTS: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1637,7 +1638,7 @@ case SERIAL_SETSUBCHAN: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splimp (); @@ -1663,7 +1664,7 @@ case SERIAL_SETINVCLK: case SERIAL_SETINVTCLK: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_E1 || c->mode == M_G703) @@ -1677,7 +1678,7 @@ case SERIAL_SETINVRCLK: /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_E1 || c->mode == M_G703) Index: sys/dev/cx/if_cx.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/cx/if_cx.c,v retrieving revision 1.52 diff -u -r1.52 if_cx.c --- sys/dev/cx/if_cx.c 16 May 2006 14:36:24 -0000 1.52 +++ sys/dev/cx/if_cx.c 30 Oct 2006 17:07:54 -0000 @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -1632,7 +1633,7 @@ case SERIAL_SETPORT: CX_DEBUG2 (d, ("ioctl: setproto\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; @@ -1658,7 +1659,7 @@ case SERIAL_SETPROTO: CX_DEBUG2 (d, ("ioctl: setproto\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_ASYNC) @@ -1695,7 +1696,7 @@ case SERIAL_SETKEEPALIVE: CX_DEBUG2 (d, ("ioctl: setkeepalive\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if ((IFP2SP(d->ifp)->pp_flags & PP_FR) || @@ -1725,7 +1726,7 @@ case SERIAL_SETMODE: CX_DEBUG2 (d, ("ioctl: setmode\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; @@ -1778,7 +1779,7 @@ case SERIAL_CLRSTAT: CX_DEBUG2 (d, ("ioctl: clrstat\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splhigh (); @@ -1810,7 +1811,7 @@ case SERIAL_SETBAUD: CX_DEBUG2 (d, ("ioctl: setbaud\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_ASYNC) @@ -1836,7 +1837,7 @@ case SERIAL_SETLOOP: CX_DEBUG2 (d, ("ioctl: setloop\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_ASYNC) @@ -1862,7 +1863,7 @@ case SERIAL_SETDPLL: CX_DEBUG2 (d, ("ioctl: setdpll\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_ASYNC) @@ -1888,7 +1889,7 @@ case SERIAL_SETNRZI: CX_DEBUG2 (d, ("ioctl: setnrzi\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; if (c->mode == M_ASYNC) @@ -1912,7 +1913,7 @@ case SERIAL_SETDEBUG: CX_DEBUG2 (d, ("ioctl: setdebug\n")); /* Only for superuser! */ - error = suser (td); + error = priv_check (td, PRIV_DRIVER); if (error) return error; s = splhigh (); Index: sys/dev/dcons/dcons_os.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/dcons/dcons_os.c,v retrieving revision 1.11 diff -u -r1.11 dcons_os.c --- sys/dev/dcons/dcons_os.c 26 May 2006 13:51:38 -0000 1.11 +++ sys/dev/dcons/dcons_os.c 30 Oct 2006 17:07:54 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include @@ -293,7 +294,8 @@ if ((tp->t_state & TS_ISOPEN) == 0) { tp->t_state |= TS_CARR_ON; ttyconsolemode(tp, 0); - } else if ((tp->t_state & TS_XCLUDE) && suser(td)) { + } else if ((tp->t_state & TS_XCLUDE) && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { splx(s); return (EBUSY); } Index: sys/dev/drm/drmP.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/drm/drmP.h,v retrieving revision 1.17 diff -u -r1.17 drmP.h --- sys/dev/drm/drmP.h 7 Sep 2006 23:04:47 -0000 1.17 +++ sys/dev/drm/drmP.h 30 Oct 2006 17:07:54 -0000 @@ -50,6 +50,9 @@ #include #include #include +#if __FreeBSD_version >= 700000 +#include +#endif #include #include #include @@ -233,7 +236,11 @@ #define PAGE_ALIGN(addr) round_page(addr) /* DRM_SUSER returns true if the user is superuser */ +#if __FreeBSD_version >= 700000 +#define DRM_SUSER(p) (priv_check(p, PRIV_DRIVER) == 0) +#else #define DRM_SUSER(p) (suser(p) == 0) +#endif #define DRM_AGP_FIND_DEVICE() agp_find_device() #define DRM_MTRR_WC MDF_WRITECOMBINE #define jiffies ticks Index: sys/dev/fdc/fdc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/fdc/fdc.c,v retrieving revision 1.313 diff -u -r1.313 fdc.c --- sys/dev/fdc/fdc.c 8 Sep 2006 21:46:00 -0000 1.313 +++ sys/dev/fdc/fdc.c 30 Oct 2006 17:07:54 -0000 @@ -69,6 +69,7 @@ #include #include #include +#include #include #include #include @@ -1489,8 +1490,9 @@ return (0); case FD_CLRERR: - if (suser(td) != 0) - return (EPERM); + error = priv_check(td, PRIV_DRIVER); + if (error) + return (error); fd->fdc->fdc_errs = 0; return (0); Index: sys/dev/hwpmc/hwpmc_mod.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/hwpmc/hwpmc_mod.c,v retrieving revision 1.25 diff -u -r1.25 hwpmc_mod.c --- sys/dev/hwpmc/hwpmc_mod.c 17 Sep 2006 20:00:35 -0000 1.25 +++ sys/dev/hwpmc/hwpmc_mod.c 30 Oct 2006 17:07:54 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -2782,10 +2783,9 @@ KASSERT(td == curthread, ("[pmc,%d] td != curthread", __LINE__)); - if (suser(td) || jailed(td->td_ucred)) { - error = EPERM; + error = priv_check(td, PRIV_PMC_MANAGE); + if (error) break; - } if ((error = copyin(arg, &pma, sizeof(pma))) != 0) break; @@ -2918,11 +2918,16 @@ */ if (PMC_IS_SYSTEM_MODE(mode)) { - if (jailed(curthread->td_ucred)) - error = EPERM; - else if (suser(curthread) && - (pmc_unprivileged_syspmcs == 0)) + if (jailed(curthread->td_ucred)) { error = EPERM; + break; + } + if (!pmc_unprivileged_syspmcs) { + error = priv_check(curthread, + PRIV_PMC_SYSTEM); + if (error) + break; + } } if (error) Index: sys/dev/if_ndis/if_ndis.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/if_ndis/if_ndis.c,v retrieving revision 1.117 diff -u -r1.117 if_ndis.c --- sys/dev/if_ndis/if_ndis.c 4 Feb 2006 19:42:49 -0000 1.117 +++ sys/dev/if_ndis/if_ndis.c 30 Oct 2006 17:07:54 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -2836,7 +2837,7 @@ error = ENOTTY; break; case SIOCGDRVSPEC: - if ((error = suser(curthread))) + if ((error = priv_check(curthread, PRIV_DRIVER))) break; error = copyin(ifr->ifr_data, &oid, sizeof(oid)); if (error) @@ -2865,7 +2866,7 @@ free(oidbuf, M_TEMP); break; case SIOCSDRVSPEC: - if ((error = suser(curthread))) + if ((error = priv_check(curthread, PRIV_DRIVER))) break; error = copyin(ifr->ifr_data, &oid, sizeof(oid)); if (error) @@ -2894,7 +2895,7 @@ free(oidbuf, M_TEMP); break; case SIOCGPRIVATE_0: - if ((error = suser(curthread))) + if ((error = priv_check(curthread, PRIV_DRIVER))) break; NDIS_LOCK(sc); if (sc->ndis_evt[sc->ndis_evtcidx].ne_sts == 0) { @@ -3062,7 +3063,7 @@ uint32_t foo; int error, len; - error = suser(curthread); + error = priv_check(curthread, PRIV_DRIVER); if (error) return (error); @@ -3370,7 +3371,7 @@ break; #endif case IEEE80211_IOC_STATIONNAME: - error = suser(curthread); + error = priv_check(curthread, PRIV_NET80211_MANAGE); if (error) break; if (ireq->i_val != 0 || Index: sys/dev/kbd/kbd.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/kbd/kbd.c,v retrieving revision 1.45 diff -u -r1.45 kbd.c --- sys/dev/kbd/kbd.c 28 Feb 2006 23:46:23 -0000 1.45 +++ sys/dev/kbd/kbd.c 30 Oct 2006 17:07:54 -0000 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -972,11 +973,11 @@ if (keymap_restrict_change >= 2) { for (i = 0; i < NUM_STATES; i++) if (oldkey->map[i] != newkey->map[i]) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); if (oldkey->spcl != newkey->spcl) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); if (oldkey->flgs != newkey->flgs) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); return (0); } @@ -991,7 +992,7 @@ if ((oldkey->spcl & (0x80 >> i)) == (newkey->spcl & (0x80 >> i)) && oldkey->map[i] == newkey->map[i]) continue; - return suser(td); + return priv_check(td, PRIV_KEYBOARD); } return (0); @@ -1020,20 +1021,20 @@ return (0); if (oldmap->n_accs != newmap->n_accs) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); for (accent = 0; accent < oldmap->n_accs; accent++) { oldacc = &oldmap->acc[accent]; newacc = &newmap->acc[accent]; if (oldacc->accchar != newacc->accchar) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); for (i = 0; i < NUM_ACCENTCHARS; ++i) { if (oldacc->map[i][0] != newacc->map[i][0]) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); if (oldacc->map[i][0] == 0) /* end of table */ break; if (oldacc->map[i][1] != newacc->map[i][1]) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); } } @@ -1048,7 +1049,7 @@ if (oldkey->len != newkey->flen || bcmp(oldkey->str, newkey->keydef, oldkey->len) != 0) - return suser(td); + return priv_check(td, PRIV_KEYBOARD); return (0); } Index: sys/dev/lmc/if_lmc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/lmc/if_lmc.c,v retrieving revision 1.29 diff -u -r1.29 if_lmc.c --- sys/dev/lmc/if_lmc.c 15 Jul 2006 02:07:38 -0000 1.29 +++ sys/dev/lmc/if_lmc.c 30 Oct 2006 17:07:55 -0000 @@ -113,6 +113,9 @@ # include # include # include +# if (__FreeBSD_version >= 700000) +# include +# endif # if (__FreeBSD_version >= 500000) # include # include Index: sys/dev/lmc/if_lmc.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/lmc/if_lmc.h,v retrieving revision 1.4 diff -u -r1.4 if_lmc.h --- sys/dev/lmc/if_lmc.h 21 Jul 2006 08:45:00 -0000 1.4 +++ sys/dev/lmc/if_lmc.h 30 Oct 2006 17:07:55 -0000 @@ -1223,7 +1223,11 @@ # define TOP_UNLOCK mtx_unlock (&sc->top_mtx) # define BOTTOM_TRYLOCK mtx_trylock(&sc->bottom_mtx) # define BOTTOM_UNLOCK mtx_unlock (&sc->bottom_mtx) -# define CHECK_CAP suser(curthread) +# if (__FreeBSD_version >= 700000) +# define CHECK_CAP priv_check(curthread, PRIV_DRIVER) +# else +# define CHECK_CAP suser(curthread) +# endif # else /* FreeBSD-4 */ # define TOP_TRYLOCK (sc->top_spl = splimp()) # define TOP_UNLOCK splx(sc->top_spl) Index: sys/dev/nmdm/nmdm.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/nmdm/nmdm.c,v retrieving revision 1.37 diff -u -r1.37 nmdm.c --- sys/dev/nmdm/nmdm.c 4 Jan 2006 08:34:23 -0000 1.37 +++ sys/dev/nmdm/nmdm.c 30 Oct 2006 17:07:55 -0000 @@ -41,6 +41,7 @@ #include #include +#include #include #include #include @@ -286,7 +287,8 @@ if ((tp->t_state & TS_ISOPEN) == 0) { ttyinitmode(tp, 0, 0); ttsetwater(tp); /* XXX ? */ - } else if (tp->t_state & TS_XCLUDE && suser(td)) { + } else if (tp->t_state & TS_XCLUDE && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { return (EBUSY); } Index: sys/dev/null/null.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/null/null.c,v retrieving revision 1.31 diff -u -r1.31 null.c --- sys/dev/null/null.c 27 Feb 2005 22:00:45 -0000 1.31 +++ sys/dev/null/null.c 30 Oct 2006 17:07:55 -0000 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -87,7 +88,7 @@ if (cmd != DIOCSKERNELDUMP) return (ENOIOCTL); - error = suser(td); + error = priv_check(td, PRIV_SETDUMPER); if (error) return (error); return (set_dumper(NULL)); Index: sys/dev/ofw/ofw_console.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/ofw/ofw_console.c,v retrieving revision 1.34 diff -u -r1.34 ofw_console.c --- sys/dev/ofw/ofw_console.c 30 May 2006 07:56:57 -0000 1.34 +++ sys/dev/ofw/ofw_console.c 30 Oct 2006 17:07:55 -0000 @@ -140,7 +140,8 @@ ttyconsolemode(tp, 0); setuptimeout = 1; - } else if ((tp->t_state & TS_XCLUDE) && suser(td)) { + } else if ((tp->t_state & TS_XCLUDE) && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { return (EBUSY); } Index: sys/dev/random/randomdev.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/random/randomdev.c,v retrieving revision 1.60 diff -u -r1.60 randomdev.c --- sys/dev/random/randomdev.c 20 Dec 2005 21:41:52 -0000 1.60 +++ sys/dev/random/randomdev.c 30 Oct 2006 17:07:55 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -85,7 +86,7 @@ random_close(struct cdev *dev __unused, int flags, int fmt __unused, struct thread *td) { - if ((flags & FWRITE) && (suser(td) == 0) + if ((flags & FWRITE) && (priv_check(td, PRIV_RANDOM_RESEED) == 0) && (securelevel_gt(td->td_ucred, 0) == 0)) { (*random_systat.reseed)(); random_systat.seeded = 1; Index: sys/dev/sbni/if_sbni.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/sbni/if_sbni.c,v retrieving revision 1.22 diff -u -r1.22 if_sbni.c --- sys/dev/sbni/if_sbni.c 11 Nov 2005 16:04:54 -0000 1.22 +++ sys/dev/sbni/if_sbni.c 30 Oct 2006 17:07:55 -0000 @@ -67,6 +67,7 @@ #include #include #include +#include #include #include #include @@ -1110,7 +1111,7 @@ case SIOCSHWFLAGS: /* set flags */ /* root only */ - error = suser(td); + error = priv_check(td, PRIV_DRIVER); if (error) break; flags = *(struct sbni_flags*)&ifr->ifr_data; @@ -1132,7 +1133,7 @@ break; case SIOCRINSTATS: - if (!(error = suser(td))) /* root only */ + if (!(error = priv_check(td, PRIV_DRIVER))) /* root only */ bzero(&sc->in_stats, sizeof(struct sbni_in_stats)); break; Index: sys/dev/sbsh/if_sbsh.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/sbsh/if_sbsh.c,v retrieving revision 1.16 diff -u -r1.16 if_sbsh.c --- sys/dev/sbsh/if_sbsh.c 16 May 2006 14:36:31 -0000 1.16 +++ sys/dev/sbsh/if_sbsh.c 30 Oct 2006 17:07:55 -0000 @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -424,7 +425,7 @@ switch(cmd) { case SIOCLOADFIRMW: - if ((error = suser(curthread)) != 0) + if ((error = priv_check(curthread, PRIV_DRIVER)) != 0) break; if (ifp->if_flags & IFF_UP) error = EBUSY; @@ -444,7 +445,7 @@ break; case SIOCGETSTATS : - if ((error = suser(curthread)) != 0) + if ((error = priv_check(curthread, PRIV_DRIVER)) != 0) break; t = 0; @@ -478,7 +479,7 @@ break; case SIOCCLRSTATS : - if (!(error = suser(curthread))) { + if (!(error = priv_check(curthread, PRIV_DRIVER))) { bzero(&sc->in_stats, sizeof(struct sbni16_stats)); t = 2; if (issue_cx28975_cmd(sc, _DSL_CLEAR_ERROR_CTRS, &t, 1)) Index: sys/dev/si/si.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/si/si.c,v retrieving revision 1.137 diff -u -r1.137 si.c --- sys/dev/si/si.c 6 Jan 2006 19:56:12 -0000 1.137 +++ sys/dev/si/si.c 30 Oct 2006 17:07:55 -0000 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include @@ -650,7 +651,7 @@ ip = (int *)data; -#define SUCHECK if ((error = suser(td))) goto out +#define SUCHECK if ((error = priv_check(td, PRIV_DRIVER))) goto out switch (cmd) { case TCSIPORTS: Index: sys/dev/syscons/syscons.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/syscons/syscons.c,v retrieving revision 1.447 diff -u -r1.447 syscons.c --- sys/dev/syscons/syscons.c 27 Sep 2006 19:56:59 -0000 1.447 +++ sys/dev/syscons/syscons.c 30 Oct 2006 17:07:55 -0000 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -517,7 +518,7 @@ ttyld_modem(tp, 1); } else - if (tp->t_state & TS_XCLUDE && suser(td)) + if (tp->t_state & TS_XCLUDE && priv_check(td, PRIV_TTY_EXCLUSIVE)) return(EBUSY); error = ttyld_open(tp, dev); @@ -1092,7 +1093,7 @@ return 0; case KDENABIO: /* allow io operations */ - error = suser(td); + error = priv_check(td, PRIV_IO); if (error != 0) return error; error = securelevel_gt(td->td_ucred, 0); Index: sys/dev/syscons/sysmouse.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/syscons/sysmouse.c,v retrieving revision 1.28 diff -u -r1.28 sysmouse.c --- sys/dev/syscons/sysmouse.c 4 Dec 2005 02:12:42 -0000 1.28 +++ sys/dev/syscons/sysmouse.c 30 Oct 2006 17:07:55 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -83,7 +84,8 @@ ttyinitmode(tp, 0, 0); smparam(tp, &tp->t_termios); ttyld_modem(tp, 1); - } else if (tp->t_state & TS_XCLUDE && suser(td)) { + } else if (tp->t_state & TS_XCLUDE && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { return EBUSY; } Index: sys/dev/wi/if_wi.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/wi/if_wi.c,v retrieving revision 1.199 diff -u -r1.199 if_wi.c --- sys/dev/wi/if_wi.c 5 Aug 2006 04:58:25 -0000 1.199 +++ sys/dev/wi/if_wi.c 30 Oct 2006 17:07:55 -0000 @@ -76,6 +76,7 @@ #endif #include #include +#include #include #include #include @@ -1273,7 +1274,7 @@ WI_UNLOCK(sc); break; case SIOCSIFGENERIC: - error = suser(td); + error = priv_check(td, PRIV_DRIVER); if (error == 0) error = wi_set_cfg(ifp, cmd, data); break; @@ -1291,7 +1292,7 @@ error = copyout(&wreq, ifr->ifr_data, sizeof(wreq)); break; case SIOCSPRISM2DEBUG: - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) return (error); error = copyin(ifr->ifr_data, &wreq, sizeof(wreq)); if (error) @@ -1312,7 +1313,7 @@ case SIOCS80211: ireq = (struct ieee80211req *) data; if (ireq->i_type == IEEE80211_IOC_STATIONNAME) { - error = suser(td); + error = priv_check(td, PRIV_NET80211_MANAGE); if (error) break; if (ireq->i_val != 0 || Index: sys/dev/wl/if_wl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/wl/if_wl.c,v retrieving revision 1.73 diff -u -r1.73 if_wl.c --- sys/dev/wl/if_wl.c 19 Jun 2006 11:30:36 -0000 1.73 +++ sys/dev/wl/if_wl.c 30 Oct 2006 17:07:55 -0000 @@ -197,6 +197,7 @@ #include #include #include +#include #include #include #include @@ -1310,7 +1311,7 @@ /* pointer to buffer in user space */ up = (void *)ifr->ifr_data; /* work out if they're root */ - isroot = (suser(td) == 0); + isroot = (priv_check(td, PRIV_NET80211_GETKEY) == 0); for (i = 0; i < 0x40; i++) { /* don't hand the DES key out to non-root users */ @@ -1327,7 +1328,7 @@ /* copy the PSA in from the caller; we only copy _some_ values */ case SIOCSWLPSA: /* root only */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) break; error = EINVAL; /* assume the worst */ /* pointer to buffer in user space containing data */ @@ -1383,7 +1384,7 @@ */ case SIOCSWLCNWID: /* root only */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) break; if (!(ifp->if_flags & IFF_UP)) { error = EIO; /* only allowed while up */ @@ -1401,7 +1402,7 @@ /* copy the EEPROM in 2.4 Gz WaveMODEM out to the caller */ case SIOCGWLEEPROM: /* root only */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) break; /* pointer to buffer in user space */ up = (void *)ifr->ifr_data; @@ -1428,7 +1429,7 @@ /* zero (Delete) the wl cache */ case SIOCDWLCACHE: /* root only */ - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_DRIVER))) break; wl_cache_zero(sc); break; Index: sys/dev/zs/zs.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/dev/zs/zs.c,v retrieving revision 1.35 diff -u -r1.35 zs.c --- sys/dev/zs/zs.c 26 May 2006 18:25:34 -0000 1.35 +++ sys/dev/zs/zs.c 30 Oct 2006 17:07:55 -0000 @@ -453,7 +453,7 @@ if ((tp->t_state & TS_ISOPEN) != 0 && (tp->t_state & TS_XCLUDE) != 0 && - suser(td) != 0) + priv_check(td, PRIV_TTY_EXCLUSIVE) != 0) return (EBUSY); if ((tp->t_state & TS_ISOPEN) == 0) { Index: sys/fs/devfs/devfs_rule.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/devfs/devfs_rule.c,v retrieving revision 1.22 diff -u -r1.22 devfs_rule.c --- sys/fs/devfs/devfs_rule.c 17 Jul 2006 09:07:01 -0000 1.22 +++ sys/fs/devfs/devfs_rule.c 31 Oct 2006 08:25:32 -0000 @@ -67,6 +67,7 @@ #include #include #include +#include #include #include #include @@ -164,11 +165,13 @@ sx_assert(&dm->dm_lock, SX_XLOCKED); /* - * XXX: This returns an error regardless of whether we - * actually support the cmd or not. + * XXX: This returns an error regardless of whether we actually + * support the cmd or not. + * + * We could make this privileges finer grained if desired. */ - error = suser(td); - if (error != 0) + error = priv_check(td, PRIV_DEVFS_RULE); + if (error) return (error); sx_xlock(&sx_rules); Index: sys/fs/devfs/devfs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/devfs/devfs_vnops.c,v retrieving revision 1.139 diff -u -r1.139 devfs_vnops.c --- sys/fs/devfs/devfs_vnops.c 22 Oct 2006 11:52:12 -0000 1.139 +++ sys/fs/devfs/devfs_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -1145,19 +1146,25 @@ else gid = vap->va_gid; if (uid != de->de_uid || gid != de->de_gid) { - if (((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid || - (gid != de->de_gid && !groupmember(gid, ap->a_cred))) && - (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL)) != 0) - return (error); + if ((ap->a_cred->cr_uid != de->de_uid) || uid != de->de_uid || + (gid != de->de_gid && !groupmember(gid, ap->a_cred))) { + error = priv_check_cred(ap->a_td->td_ucred, + PRIV_VFS_CHOWN, SUSER_ALLOWJAIL); + if (error) + return (error); + } de->de_uid = uid; de->de_gid = gid; c = 1; } if (vap->va_mode != (mode_t)VNOVAL) { - if ((ap->a_cred->cr_uid != de->de_uid) && - (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL))) - return (error); + if (ap->a_cred->cr_uid != de->de_uid) { + error = priv_check_cred(ap->a_td->td_ucred, + PRIV_VFS_ADMIN, SUSER_ALLOWJAIL); + if (error) + return (error); + } de->de_mode = vap->va_mode; c = 1; } @@ -1227,7 +1234,8 @@ td = ap->a_cnp->cn_thread; KASSERT(td == curthread, ("devfs_symlink: td != curthread")); - error = suser(td); + + error = priv_check(td, PRIV_DEVFS_SYMLINK); if (error) return(error); dmp = VFSTODEVFS(ap->a_dvp->v_mount); Index: sys/fs/hpfs/hpfs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/hpfs/hpfs_vnops.c,v retrieving revision 1.68 diff -u -r1.68 hpfs_vnops.c --- sys/fs/hpfs/hpfs_vnops.c 17 Jan 2006 17:29:01 -0000 1.68 +++ sys/fs/hpfs/hpfs_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -501,11 +501,12 @@ if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - if (cred->cr_uid != hp->h_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(vp, VWRITE, cred, td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, cred, td); + if (error) + error = VOP_ACCESS(vp, VWRITE, cred, td); + } else + error = VOP_ACCESS(vp, VADMIN, cred, td); if (vap->va_atime.tv_sec != VNOVAL) hp->h_atime = vap->va_atime.tv_sec; if (vap->va_mtime.tv_sec != VNOVAL) Index: sys/fs/msdosfs/msdosfs_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/msdosfs/msdosfs_vfsops.c,v retrieving revision 1.153 diff -u -r1.153 msdosfs_vfsops.c --- sys/fs/msdosfs/msdosfs_vfsops.c 26 Sep 2006 04:12:45 -0000 1.153 +++ sys/fs/msdosfs/msdosfs_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -293,17 +294,17 @@ * If upgrade to read-write by non-root, then verify * that user has necessary permissions on the device. */ - if (suser(td)) { - devvp = pmp->pm_devvp; - vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); - error = VOP_ACCESS(devvp, VREAD | VWRITE, - td->td_ucred, td); - if (error) { - VOP_UNLOCK(devvp, 0, td); - return (error); - } + devvp = pmp->pm_devvp; + vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); + error = VOP_ACCESS(devvp, VREAD | VWRITE, + td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { VOP_UNLOCK(devvp, 0, td); + return (error); } + VOP_UNLOCK(devvp, 0, td); DROP_GIANT(); g_topology_lock(); error = g_access(pmp->pm_cp, 0, 1, 0); @@ -353,15 +354,15 @@ * If mount by non-root, then verify that user has necessary * permissions on the device. */ - if (suser(td)) { - accessmode = VREAD; - if ((mp->mnt_flag & MNT_RDONLY) == 0) - accessmode |= VWRITE; - error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); - if (error) { - vput(devvp); - return (error); - } + accessmode = VREAD; + if ((mp->mnt_flag & MNT_RDONLY) == 0) + accessmode |= VWRITE; + error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { + vput(devvp); + return (error); } if ((mp->mnt_flag & MNT_UPDATE) == 0) { error = mountmsdosfs(devvp, mp, td); Index: sys/fs/msdosfs/msdosfs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/msdosfs/msdosfs_vnops.c,v retrieving revision 1.164 diff -u -r1.164 msdosfs_vnops.c --- sys/fs/msdosfs/msdosfs_vnops.c 24 Oct 2006 11:14:05 -0000 1.164 +++ sys/fs/msdosfs/msdosfs_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -59,6 +59,7 @@ #include #include #include +#include #include #include #include @@ -404,9 +405,12 @@ if (vap->va_flags != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - if (cred->cr_uid != pmp->pm_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL))) - return (error); + if (cred->cr_uid != pmp->pm_uid) { + error = priv_check_cred(cred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL); + if (error) + return (error); + } /* * We are very inconsistent about handling unsupported * attributes. We ignored the access time and the @@ -419,9 +423,11 @@ * set ATTR_ARCHIVE for directories `cp -pr' from a more * sensible filesystem attempts it a lot. */ - if (suser_cred(cred, SUSER_ALLOWJAIL)) { - if (vap->va_flags & SF_SETTABLE) - return EPERM; + if (vap->va_flags & SF_SETTABLE) { + error = priv_check_cred(cred, PRIV_VFS_SYSFLAGS, + SUSER_ALLOWJAIL); + if (error) + return (error); } if (vap->va_flags & ~SF_ARCHIVED) return EOPNOTSUPP; @@ -444,10 +450,13 @@ gid = vap->va_gid; if (gid == (gid_t)VNOVAL) gid = pmp->pm_gid; - if ((cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid || - (gid != pmp->pm_gid && !groupmember(gid, cred))) && - (error = suser_cred(cred, SUSER_ALLOWJAIL))) - return error; + if (cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid || + (gid != pmp->pm_gid && !groupmember(gid, cred))) { + error = priv_check_cred(cred, PRIV_VFS_CHOWN, + SUSER_ALLOWJAIL); + if (error) + return (error); + } if (uid != pmp->pm_uid || gid != pmp->pm_gid) return EINVAL; } @@ -477,11 +486,13 @@ if (vap->va_atime.tv_sec != VNOVAL || vap->va_mtime.tv_sec != VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - if (cred->cr_uid != pmp->pm_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(ap->a_vp, VWRITE, cred, ap->a_td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); + if (error) + error = VOP_ACCESS(vp, VWRITE, cred, + ap->a_td); + } else + error = VOP_ACCESS(vp, VADMIN, cred, ap->a_td); if (vp->v_type != VDIR) { if ((pmp->pm_flags & MSDOSFSMNT_NOWIN95) == 0 && vap->va_atime.tv_sec != VNOVAL) { @@ -506,9 +517,12 @@ if (vap->va_mode != (mode_t)VNOVAL) { if (vp->v_mount->mnt_flag & MNT_RDONLY) return (EROFS); - if (cred->cr_uid != pmp->pm_uid && - (error = suser_cred(cred, SUSER_ALLOWJAIL))) - return (error); + if (cred->cr_uid != pmp->pm_uid) { + error = priv_check_cred(cred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL); + if (error) + return (error); + } if (vp->v_type != VDIR) { /* We ignore the read and execute bits. */ if (vap->va_mode & VWRITE) Index: sys/fs/procfs/procfs_ioctl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/procfs/procfs_ioctl.c,v retrieving revision 1.13 diff -u -r1.13 procfs_ioctl.c --- sys/fs/procfs/procfs_ioctl.c 27 Sep 2006 19:57:00 -0000 1.13 +++ sys/fs/procfs/procfs_ioctl.c 30 Oct 2006 17:07:55 -0000 @@ -34,6 +34,7 @@ #include #include #include +#include #include #include #include @@ -104,8 +105,19 @@ #endif case PIOCSFL: flags = *(unsigned int *)data; - if (flags & PF_ISUGID && (error = suser(td)) != 0) - break; + if (flags & PF_ISUGID) { + /* + * XXXRW: Is this specific check required here, as + * p_candebug() should implement it, or other checks + * are missing. + * + * XXXRW: Other debugging privileges are granted in + * jail, why isn't this? + */ + error = priv_check(td, PRIV_DEBUG_SUGID); + if (error) + break; + } p->p_pfsflags = flags; break; case PIOCGFL: Index: sys/fs/smbfs/smbfs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/smbfs/smbfs_vnops.c,v retrieving revision 1.62 diff -u -r1.62 smbfs_vnops.c --- sys/fs/smbfs/smbfs_vnops.c 31 May 2006 22:31:08 -0000 1.62 +++ sys/fs/smbfs/smbfs_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -352,11 +352,13 @@ if (vap->va_atime.tv_sec != VNOVAL) atime = &vap->va_atime; if (mtime != atime) { - if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_uid && - (error = suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(vp, VWRITE, ap->a_cred, ap->a_td)))) - return (error); + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td); + if (error) + error = VOP_ACCESS(vp, VWRITE, ap->a_cred, + ap->a_td); + } else + error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td); #if 0 if (mtime == NULL) mtime = &np->n_mtime; Index: sys/fs/udf/udf_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/udf/udf_vfsops.c,v retrieving revision 1.44 diff -u -r1.44 udf_vfsops.c --- sys/fs/udf/udf_vfsops.c 26 Sep 2006 04:12:46 -0000 1.44 +++ sys/fs/udf/udf_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -84,6 +84,7 @@ #include #include #include +#include #include #include #include @@ -238,7 +239,7 @@ /* Check the access rights on the mount device */ error = VOP_ACCESS(devvp, VREAD, td->td_ucred, td); if (error) - error = suser(td); + error = priv_check(td, PRIV_VFS_MOUNT_PERM); if (error) { vput(devvp); return (error); Index: sys/fs/umapfs/umap_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/fs/umapfs/umap_vfsops.c,v retrieving revision 1.65 diff -u -r1.65 umap_vfsops.c --- sys/fs/umapfs/umap_vfsops.c 26 Sep 2006 04:12:46 -0000 1.65 +++ sys/fs/umapfs/umap_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -88,8 +88,9 @@ /* * Only for root */ - if ((error = suser(td)) != 0) - return (error); + error = priv_check(td, PRIV_VFS_MOUNT); + if (error) + return (ERROR); #ifdef DEBUG printf("umapfs_mount(mp = %p)\n", (void *)mp); Index: sys/gnu/fs/ext2fs/ext2_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/ext2fs/ext2_vfsops.c,v retrieving revision 1.158 diff -u -r1.158 ext2_vfsops.c --- sys/gnu/fs/ext2fs/ext2_vfsops.c 26 Sep 2006 04:12:47 -0000 1.158 +++ sys/gnu/fs/ext2fs/ext2_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -197,15 +198,16 @@ * If upgrade to read-write by non-root, then verify * that user has necessary permissions on the device. */ - if (suser(td)) { - vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); - if ((error = VOP_ACCESS(devvp, VREAD | VWRITE, - td->td_ucred, td)) != 0) { - VOP_UNLOCK(devvp, 0, td); - return (error); - } + vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); + error = VOP_ACCESS(devvp, VREAD | VWRITE, + td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { VOP_UNLOCK(devvp, 0, td); + return (error); } + VOP_UNLOCK(devvp, 0, td); DROP_GIANT(); g_topology_lock(); error = g_access(ump->um_cp, 0, 1, 0); @@ -259,15 +261,18 @@ /* * If mount by non-root, then verify that user has necessary * permissions on the device. + * + * XXXRW: VOP_ACCESS() enough? */ - if (suser(td)) { - accessmode = VREAD; - if ((mp->mnt_flag & MNT_RDONLY) == 0) - accessmode |= VWRITE; - if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td)) != 0) { - vput(devvp); - return (error); - } + accessmode = VREAD; + if ((mp->mnt_flag & MNT_RDONLY) == 0) + accessmode |= VWRITE; + error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { + vput(devvp); + return (error); } if ((mp->mnt_flag & MNT_UPDATE) == 0) { Index: sys/gnu/fs/ext2fs/ext2_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/ext2fs/ext2_vnops.c,v retrieving revision 1.105 diff -u -r1.105 ext2_vnops.c --- sys/gnu/fs/ext2fs/ext2_vnops.c 29 Dec 2005 21:34:49 -0000 1.105 +++ sys/gnu/fs/ext2fs/ext2_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include #include @@ -411,7 +412,8 @@ * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. */ - if (!suser_cred(cred, SUSER_ALLOWJAIL)) { + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, + SUSER_ALLOWJAIL)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { error = securelevel_gt(cred, 0); @@ -529,11 +531,17 @@ * as well as set the setgid bit on a file with a group that the * process is not a member of. */ - if (suser_cred(cred, SUSER_ALLOWJAIL)) { - if (vp->v_type != VDIR && (mode & S_ISTXT)) + if (vp->v_type != VDIR && (mode & S_ISTXT)) { + error = priv_check_cred(cred, PRIV_VFS_STICKYFILE, + SUSER_ALLOWJAIL); + if (error) return (EFTYPE); - if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) - return (EPERM); + } + if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { + error = priv_check_cred(cred, PRIV_VFS_SETGID, + SUSER_ALLOWJAIL); + if (error) + return (error); } ip->i_mode &= ~ALLPERMS; ip->i_mode |= (mode & ALLPERMS); @@ -573,17 +581,23 @@ * to a group of which we are not a member, the caller must * have privilege. */ - if ((uid != ip->i_uid || - (gid != ip->i_gid && !groupmember(gid, cred))) && - (error = suser_cred(cred, SUSER_ALLOWJAIL))) - return (error); + if (uid != ip->i_uid || (gid != ip->i_gid && + !groupmember(gid, cred))) { + error = priv_check_cred(cred, PRIV_VFS_CHOWN, + SUSER_ALLOWJAIL); + if (error) + return (error); + } ogid = ip->i_gid; ouid = ip->i_uid; ip->i_gid = gid; ip->i_uid = uid; ip->i_flag |= IN_CHANGE; - if (suser_cred(cred, SUSER_ALLOWJAIL) && (ouid != uid || ogid != gid)) - ip->i_mode &= ~(ISUID | ISGID); + if (ouid != uid || ogid != gid) { + if (priv_check_cred(cred, PRIV_VFS_CLEARSUGID, + SUSER_ALLOWJAIL) != 0) + ip->i_mode &= ~(ISUID | ISGID); + } return (0); } @@ -1608,9 +1622,11 @@ ip->i_mode = mode; tvp->v_type = IFTOVT(mode); /* Rest init'd in getnewvnode(). */ ip->i_nlink = 1; - if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) && - suser_cred(cnp->cn_cred, SUSER_ALLOWJAIL)) - ip->i_mode &= ~ISGID; + if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred)) { + if (priv_check_cred(cnp->cn_cred, PRIV_VFS_CLEARSUGID, + SUSER_ALLOWJAIL)) + ip->i_mode &= ~ISGID; + } if (cnp->cn_flags & ISWHITEOUT) ip->i_flags |= UF_OPAQUE; Index: sys/gnu/fs/reiserfs/reiserfs_fs.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/reiserfs/reiserfs_fs.h,v retrieving revision 1.4 diff -u -r1.4 reiserfs_fs.h --- sys/gnu/fs/reiserfs/reiserfs_fs.h 4 Dec 2005 09:57:09 -0000 1.4 +++ sys/gnu/fs/reiserfs/reiserfs_fs.h 30 Oct 2006 17:07:55 -0000 @@ -18,6 +18,7 @@ #include #include #include +#include #include #include #include Index: sys/gnu/fs/reiserfs/reiserfs_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/reiserfs/reiserfs_vfsops.c,v retrieving revision 1.6 diff -u -r1.6 reiserfs_vfsops.c --- sys/gnu/fs/reiserfs/reiserfs_vfsops.c 26 Sep 2006 04:12:47 -0000 1.6 +++ sys/gnu/fs/reiserfs/reiserfs_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -125,15 +125,15 @@ /* If mount by non-root, then verify that user has necessary * permissions on the device. */ - if (suser(td)) { - accessmode = VREAD; - if ((mp->mnt_flag & MNT_RDONLY) == 0) - accessmode |= VWRITE; - if ((error = VOP_ACCESS(devvp, - accessmode, td->td_ucred, td)) != 0) { - vput(devvp); - return (error); - } + accessmode = VREAD; + if ((mp->mnt_flag & MNT_RDONLY) == 0) + accessmode |= VWRITE; + error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { + vput(devvp); + return (error); } if ((mp->mnt_flag & MNT_UPDATE) == 0) { Index: sys/gnu/fs/xfs/FreeBSD/xfs_super.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/gnu/fs/xfs/FreeBSD/xfs_super.c,v retrieving revision 1.4 diff -u -r1.4 xfs_super.c --- sys/gnu/fs/xfs/FreeBSD/xfs_super.c 10 Jun 2006 19:02:13 -0000 1.4 +++ sys/gnu/fs/xfs/FreeBSD/xfs_super.c 30 Oct 2006 17:07:55 -0000 @@ -53,6 +53,8 @@ #include "xfs_version.h" #include "xfs_buf.h" +#include + #include #include @@ -149,14 +151,15 @@ vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); ronly = ((XFS_MTOVFS(mp)->vfs_flag & VFS_RDONLY) != 0); - if (suser(td)) { - accessmode = VREAD; - if (!ronly) - accessmode |= VWRITE; - if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td))!= 0){ - vput(devvp); - return (error); - } + accessmode = VREAD; + if (!ronly) + accessmode |= VWRITE; + error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { + vput(devvp); + return (error); } DROP_GIANT(); Index: sys/i386/i386/io.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/io.c,v retrieving revision 1.1 diff -u -r1.1 io.c --- sys/i386/i386/io.c 1 Aug 2004 11:40:52 -0000 1.1 +++ sys/i386/i386/io.c 30 Oct 2006 17:07:55 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -54,7 +55,7 @@ { int error; - error = suser(td); + error = priv_check(td, PRIV_IO); if (error != 0) return (error); error = securelevel_gt(td->td_ucred, 0); Index: sys/i386/i386/sys_machdep.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/sys_machdep.c,v retrieving revision 1.106 diff -u -r1.106 sys_machdep.c --- sys/i386/i386/sys_machdep.c 22 Oct 2006 11:52:12 -0000 1.106 +++ sys/i386/i386/sys_machdep.c 30 Oct 2006 17:07:55 -0000 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -292,7 +293,7 @@ if ((error = mac_check_sysarch_ioperm(td->td_ucred)) != 0) return (error); #endif - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_IO)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); Index: sys/i386/i386/vm86.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/i386/vm86.c,v retrieving revision 1.59 diff -u -r1.59 vm86.c --- sys/i386/i386/vm86.c 28 Sep 2005 07:03:03 -0000 1.59 +++ sys/i386/i386/vm86.c 30 Oct 2006 17:07:55 -0000 @@ -29,6 +29,7 @@ #include #include +#include #include #include #include @@ -724,7 +725,7 @@ case VM86_INTCALL: { struct vm86_intcall_args sa; - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_VM86_INTCALL))) return (error); if ((error = copyin(ua.sub_args, &sa, sizeof(sa)))) return (error); Index: sys/i386/ibcs2/ibcs2_misc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_misc.c,v retrieving revision 1.65 diff -u -r1.65 ibcs2_misc.c --- sys/i386/ibcs2/ibcs2_misc.c 22 Oct 2006 11:52:12 -0000 1.65 +++ sys/i386/ibcs2/ibcs2_misc.c 30 Oct 2006 17:07:55 -0000 @@ -68,6 +68,7 @@ #include #include /* Must come after sys/malloc.h */ #include +#include #include #include #include @@ -1008,14 +1009,22 @@ #define IBCS2_DATALOCK 4 - if ((error = suser(td)) != 0) - return EPERM; switch(uap->cmd) { case IBCS2_UNLOCK: + error = priv_check(td, PRIV_VM_MUNLOCK); + if (error) + return (error); + /* XXX - TODO */ + return (0); + case IBCS2_PROCLOCK: case IBCS2_TEXTLOCK: case IBCS2_DATALOCK: - return 0; /* XXX - TODO */ + error = priv_check(td, PRIV_VM_MLOCK); + if (error) + return (error); + /* XXX - TODO */ + return 0; } return EINVAL; } @@ -1043,9 +1052,6 @@ #define SCO_AD_GETBMAJ 0 #define SCO_AD_GETCMAJ 1 - if (suser(td)) - return EPERM; - switch(uap->cmd) { case SCO_A_REBOOT: case SCO_A_SHUTDOWN: @@ -1055,11 +1061,11 @@ case SCO_AD_PWRDOWN: case SCO_AD_PWRNAP: r.opt = RB_HALT; - reboot(td, &r); + return (reboot(td, &r)); case SCO_AD_BOOT: case SCO_AD_IBOOT: r.opt = RB_AUTOBOOT; - reboot(td, &r); + return (reboot(td, &r)); } return EINVAL; case SCO_A_REMOUNT: Index: sys/i386/ibcs2/ibcs2_socksys.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_socksys.c,v retrieving revision 1.21 diff -u -r1.21 ibcs2_socksys.c --- sys/i386/ibcs2/ibcs2_socksys.c 6 Jan 2005 23:22:04 -0000 1.21 +++ sys/i386/ibcs2/ibcs2_socksys.c 30 Oct 2006 17:07:55 -0000 @@ -174,9 +174,6 @@ char hname[MAXHOSTNAMELEN], *ptr; int error, sctl[2], hlen; - if ((error = suser(td))) - return (error); - /* W/out a hostname a domain-name is nonsense */ if ( strlen(hostname) == 0 ) return EINVAL; Index: sys/i386/ibcs2/ibcs2_sysi86.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/ibcs2/ibcs2_sysi86.c,v retrieving revision 1.22 diff -u -r1.22 ibcs2_sysi86.c --- sys/i386/ibcs2/ibcs2_sysi86.c 7 Jul 2005 19:30:30 -0000 1.22 +++ sys/i386/ibcs2/ibcs2_sysi86.c 30 Oct 2006 17:07:55 -0000 @@ -76,8 +76,6 @@ int name[2]; int error; - if ((error = suser(td))) - return (error); name[0] = CTL_KERN; name[1] = KERN_HOSTNAME; mtx_lock(&Giant); Index: sys/i386/linux/linux_machdep.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i386/linux/linux_machdep.c,v retrieving revision 1.63 diff -u -r1.63 linux_machdep.c --- sys/i386/linux/linux_machdep.c 20 Oct 2006 10:09:40 -0000 1.63 +++ sys/i386/linux/linux_machdep.c 30 Oct 2006 17:07:55 -0000 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -812,7 +813,7 @@ if (args->level < 0 || args->level > 3) return (EINVAL); - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_IO)) != 0) return (error); if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); Index: sys/i4b/driver/i4b_ipr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/i4b/driver/i4b_ipr.c,v retrieving revision 1.35 diff -u -r1.35 i4b_ipr.c --- sys/i4b/driver/i4b_ipr.c 9 Aug 2005 10:19:57 -0000 1.35 +++ sys/i4b/driver/i4b_ipr.c 30 Oct 2006 17:07:55 -0000 @@ -490,7 +490,7 @@ { struct thread *td = curthread; /* XXX */ - if((error = suser(td))) + if((error = priv_check(td, PRIV_DRIVER))) return (error); sl_compress_setup(sc->sc_compr, *(int *)data); } Index: sys/ia64/ia64/ssc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ia64/ia64/ssc.c,v retrieving revision 1.28 diff -u -r1.28 ssc.c --- sys/ia64/ia64/ssc.c 27 May 2006 17:52:08 -0000 1.28 +++ sys/ia64/ia64/ssc.c 30 Oct 2006 17:07:55 -0000 @@ -147,7 +147,8 @@ ttyconsolemode(tp, 0); setuptimeout = 1; - } else if ((tp->t_state & TS_XCLUDE) && suser(td)) { + } else if ((tp->t_state & TS_XCLUDE) && + priv_check(td, PRIV_TTY_EXCLUSIVE)) { splx(s); return EBUSY; } Index: sys/isofs/cd9660/cd9660_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/isofs/cd9660/cd9660_vfsops.c,v retrieving revision 1.146 diff -u -r1.146 cd9660_vfsops.c --- sys/isofs/cd9660/cd9660_vfsops.c 26 Sep 2006 04:12:47 -0000 1.146 +++ sys/isofs/cd9660/cd9660_vfsops.c 30 Oct 2006 17:07:55 -0000 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -174,7 +175,7 @@ vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); if (error) - error = suser(td); + error = priv_check(td, PRIV_VFS_MOUNT_PERM); if (error) { vput(devvp); return (error); Index: sys/kern/kern_acct.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_acct.c,v retrieving revision 1.84 diff -u -r1.84 kern_acct.c --- sys/kern/kern_acct.c 22 Oct 2006 11:52:12 -0000 1.84 +++ sys/kern/kern_acct.c 30 Oct 2006 17:07:55 -0000 @@ -56,6 +56,7 @@ #include #include #include +#include #include #include #include @@ -166,8 +167,7 @@ struct nameidata nd; int error, flags, vfslocked; - /* Make sure that the caller is root. */ - error = suser(td); + error = priv_check(td, PRIV_ACCT); if (error) return (error); Index: sys/kern/kern_descrip.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_descrip.c,v retrieving revision 1.298 diff -u -r1.298 kern_descrip.c --- sys/kern/kern_descrip.c 24 Sep 2006 02:29:53 -0000 1.298 +++ sys/kern/kern_descrip.c 30 Oct 2006 17:07:55 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -1351,8 +1352,8 @@ sx_xlock(&filelist_lock); if ((openfiles >= maxuserfiles && - suser_cred(td->td_ucred, SUSER_RUID) != 0) || - openfiles >= maxfiles) { + priv_check_cred(td->td_ucred, PRIV_MAXFILES, SUSER_RUID) != 0) + || openfiles >= maxfiles) { if (ppsratecheck(&lastfail, &curfail, 1)) { printf("kern.maxfiles limit exceeded by uid %i, please see tuning(7).\n", td->td_ucred->cr_ruid); Index: sys/kern/kern_environment.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_environment.c,v retrieving revision 1.45 diff -u -r1.45 kern_environment.c --- sys/kern/kern_environment.c 22 Oct 2006 11:52:12 -0000 1.45 +++ sys/kern/kern_environment.c 30 Oct 2006 17:07:55 -0000 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -125,11 +126,18 @@ return (error); } - if ((uap->what == KENV_SET) || - (uap->what == KENV_UNSET)) { - error = suser(td); + switch (uap->what) { + case KENV_SET: + error = priv_check(td, PRIV_KENV_SET); + if (error) + return (error); + break; + + case KENV_UNSET: + error = priv_check(td, PRIV_KENV_UNSET); if (error) return (error); + break; } name = malloc(KENV_MNAMELEN, M_TEMP, M_WAITOK); Index: sys/kern/kern_exec.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_exec.c,v retrieving revision 1.298 diff -u -r1.298 kern_exec.c --- sys/kern/kern_exec.c 22 Oct 2006 21:18:47 -0000 1.298 +++ sys/kern/kern_exec.c 31 Oct 2006 08:28:07 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -571,8 +572,11 @@ * we do not regain any tracing during a possible block. */ setsugid(p); + #ifdef KTRACE - if (p->p_tracevp != NULL && suser_cred(oldcred, SUSER_ALLOWJAIL)) { + if (p->p_tracevp != NULL && + priv_check_cred(oldcred, PRIV_DEBUG_DIFFCRED, + SUSER_ALLOWJAIL)) { mtx_lock(&ktrace_mtx); p->p_traceflag = 0; tracevp = p->p_tracevp; Index: sys/kern/kern_fork.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_fork.c,v retrieving revision 1.263 diff -u -r1.263 kern_fork.c --- sys/kern/kern_fork.c 26 Oct 2006 21:42:19 -0000 1.263 +++ sys/kern/kern_fork.c 30 Oct 2006 17:07:55 -0000 @@ -51,6 +51,7 @@ #include #include #include +#include #include #include #include @@ -310,7 +311,7 @@ */ sx_xlock(&allproc_lock); if ((nprocs >= maxproc - 10 && - suser_cred(td->td_ucred, SUSER_RUID) != 0) || + priv_check_cred(td->td_ucred, PRIV_MAXPROC, SUSER_RUID) != 0) || nprocs >= maxproc) { error = EAGAIN; goto fail; @@ -319,8 +320,11 @@ /* * Increment the count of procs running with this uid. Don't allow * a nonprivileged user to exceed their current limit. + * + * XXXRW: Can we avoid privilege here if it's not needed? */ - error = suser_cred(td->td_ucred, SUSER_RUID | SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_PROC_LIMIT, SUSER_RUID | + SUSER_ALLOWJAIL); if (error == 0) ok = chgproccnt(td->td_ucred->cr_ruidinfo, 1, 0); else { Index: sys/kern/kern_jail.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_jail.c,v retrieving revision 1.53 diff -u -r1.53 kern_jail.c --- sys/kern/kern_jail.c 22 Oct 2006 11:52:13 -0000 1.53 +++ sys/kern/kern_jail.c 30 Oct 2006 17:07:55 -0000 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -205,7 +206,7 @@ * a process root from one prison, but attached to the jail * of another. */ - error = suser(td); + error = priv_check(td, PRIV_JAIL_ATTACH); if (error) return (error); @@ -523,6 +524,172 @@ } } +/* + * Check with permission for a specific privilege is granted within jail. We + * have a specific list of accepted privileges; the rest are denied. + */ +int +prison_priv_check(struct ucred *cred, int priv) +{ + + if (!(jailed(cred))) + return (0); + + switch (priv) { + + /* + * Allow ktrace privileges for root in jail. + */ + case PRIV_KTRACE: + + /* + * Allow jailed processes to configure audit identity and + * submit audit records (login, etc). In the future we may + * want to further refine the relationship between audit and + * jail. + */ + case PRIV_AUDIT_GETAUDIT: + case PRIV_AUDIT_SETAUDIT: + case PRIV_AUDIT_SUBMIT: + + /* + * Allow jailed processes to manipulate process UNIX + * credentials in any way they see fit. + */ + case PRIV_CRED_SETUID: + case PRIV_CRED_SETEUID: + case PRIV_CRED_SETGID: + case PRIV_CRED_SETEGID: + case PRIV_CRED_SETGROUPS: + case PRIV_CRED_SETREUID: + case PRIV_CRED_SETREGID: + case PRIV_CRED_SETRESUID: + case PRIV_CRED_SETRESGID: + + /* + * Jail implements visibility constraints already, so allow + * jailed root to override uid/gid-based constraints. + */ + case PRIV_SEEOTHERGIDS: + case PRIV_SEEOTHERUIDS: + + /* + * Jail implements inter-process debugging limits already, so + * allow jailed root various debugging privileges. + */ + case PRIV_DEBUG_DIFFCRED: + case PRIV_DEBUG_SUGID: + case PRIV_DEBUG_UNPRIV: + + /* + * Allow jail to set various resource limits and login + * properties, and for now, exceed process resource limits. + */ + case PRIV_PROC_LIMIT: + case PRIV_PROC_SETLOGIN: + case PRIV_PROC_SETRLIMIT: + + /* + * System V and POSIX IPC privileges are granted in jail. + */ + case PRIV_IPC_READ: + case PRIV_IPC_WRITE: + case PRIV_IPC_EXEC: + case PRIV_IPC_ADMIN: + case PRIV_IPC_MSGSIZE: + case PRIV_MQ_ADMIN: + + /* + * Jail implements its own inter-process limits, so allow + * root processes in jail to change scheduling on other + * processes in the same jail. Likewise for signalling. + */ + case PRIV_SCHED_DIFFCRED: + case PRIV_SIGNAL_DIFFCRED: + case PRIV_SIGNAL_SUGID: + + /* + * Allow jailed processes to write to sysctls marked as jail + * writable. + */ + case PRIV_SYSCTL_WRITEJAIL: + + /* + * Allow root in jail to manage a variety of quota + * properties. Some are a bit surprising and should be + * reconsidered. + */ + case PRIV_UFS_GETQUOTA: + case PRIV_UFS_QUOTAOFF: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_QUOTAON: /* XXXRW: Slightly surprising. */ + case PRIV_UFS_SETQUOTA: + case PRIV_UFS_SETUSE: /* XXXRW: Slightly surprising. */ + + /* + * Since Jail relies on chroot() to implement file system + * protections, grant many VFS privileges to root in jail. + * Be careful to exclude mount-related and NFS-related + * privileges. + */ + case PRIV_VFS_READ: + case PRIV_VFS_WRITE: + case PRIV_VFS_ADMIN: + case PRIV_VFS_EXEC: + case PRIV_VFS_LOOKUP: + case PRIV_VFS_BLOCKRESERVE: /* XXXRW: Slightly surprising. */ + case PRIV_VFS_CHFLAGS_DEV: + case PRIV_VFS_CHOWN: + case PRIV_VFS_CHROOT: + case PRIV_VFS_CLEARSUGID: + case PRIV_VFS_FCHROOT: + case PRIV_VFS_LINK: + case PRIV_VFS_SETGID: + case PRIV_VFS_STICKYFILE: + return (0); + + /* + * Depending on the global setting, allow privilege of + * setting system flags. + */ + case PRIV_VFS_SYSFLAGS: + if (jail_chflags_allowed) + return (0); + else + return (EPERM); + + /* + * Allow jailed root to bind reserved ports. + */ + case PRIV_NETINET_RESERVEDPORT: + return (0); + + /* + * Conditionally allow creating raw sockets in jail. + */ + case PRIV_NETINET_RAW: + if (jail_allow_raw_sockets) + return (0); + else + return (EPERM); + + /* + * Since jail implements its own visibility limits on netstat + * sysctls, allow getcred. This allows identd to work in + * jail. + */ + case PRIV_NETINET_GETCRED: + return (0); + + default: + /* + * In all remaining cases, deny the privilege request. This + * includes almost all network privileges, many system + * configuration privileges. + */ + return (EPERM); + } +} + static int sysctl_jail_list(SYSCTL_HANDLER_ARGS) { Index: sys/kern/kern_ktrace.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_ktrace.c,v retrieving revision 1.111 diff -u -r1.111 kern_ktrace.c --- sys/kern/kern_ktrace.c 22 Oct 2006 11:52:13 -0000 1.111 +++ sys/kern/kern_ktrace.c 30 Oct 2006 17:07:55 -0000 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -807,7 +808,8 @@ p->p_tracecred = crhold(td->td_ucred); } p->p_traceflag |= facs; - if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) + if (priv_check_cred(td->td_ucred, PRIV_KTRACE, + SUSER_ALLOWJAIL) == 0) p->p_traceflag |= KTRFAC_ROOT; } else { /* KTROP_CLEAR */ @@ -1013,7 +1015,7 @@ PROC_LOCK_ASSERT(targetp, MA_OWNED); if (targetp->p_traceflag & KTRFAC_ROOT && - suser_cred(td->td_ucred, SUSER_ALLOWJAIL)) + priv_check_cred(td->td_ucred, PRIV_KTRACE, SUSER_ALLOWJAIL)) return (0); if (p_candebug(td, targetp) != 0) Index: sys/kern/kern_linker.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_linker.c,v retrieving revision 1.143 diff -u -r1.143 kern_linker.c --- sys/kern/kern_linker.c 22 Oct 2006 11:52:13 -0000 1.143 +++ sys/kern/kern_linker.c 30 Oct 2006 17:07:55 -0000 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -854,7 +855,7 @@ if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_KLD_LOAD)) != 0) return (error); /* @@ -921,7 +922,7 @@ if ((error = securelevel_gt(td->td_ucred, 0)) != 0) return (error); - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_KLD_UNLOAD)) != 0) return (error); KLD_LOCK(); Index: sys/kern/kern_ntptime.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_ntptime.c,v retrieving revision 1.59 diff -u -r1.59 kern_ntptime.c --- sys/kern/kern_ntptime.c 28 May 2005 14:34:41 -0000 1.59 +++ sys/kern/kern_ntptime.c 30 Oct 2006 17:07:55 -0000 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -333,7 +334,7 @@ mtx_lock(&Giant); modes = ntv.modes; if (modes) - error = suser(td); + error = priv_check(td, PRIV_NTP_ADJTIME); if (error) goto done2; s = splclock(); @@ -954,7 +955,7 @@ struct timeval atv; int error; - if ((error = suser(td))) + if ((error = priv_check(td, PRIV_ADJTIME))) return (error); mtx_lock(&Giant); Index: sys/kern/kern_priv.c =================================================================== RCS file: sys/kern/kern_priv.c diff -N sys/kern/kern_priv.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/kern/kern_priv.c 31 Oct 2006 08:22:47 -0000 @@ -0,0 +1,154 @@ +/*- + * Copyright (c) 2006 nCircle Network Security, Inc. + * All rights reserved. + * + * This software was developed by Robert N. M. Watson for the TrustedBSD + * Project under contract to nCircle Network Security, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, + * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include "opt_mac.h" + +#include +#include +#include +#include +#include +#include +#include + +#include + +/* + * `suser_enabled' (which can be set by the security.bsd.suser_enabled + * sysctl) determines whether the system 'super-user' policy is in effect. If + * it is nonzero, an effective uid of 0 connotes special privilege, + * overriding many mandatory and discretionary protections. If it is zero, + * uid 0 is offered no special privilege in the kernel security policy. + * Setting it to zero may seriously impact the functionality of many existing + * userland programs, and should not be done without careful consideration of + * the consequences. + */ +int suser_enabled = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, + &suser_enabled, 0, "processes with uid 0 have privilege"); +TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); + +/* + * Check a credential for privilege. Lots of good reasons to deny privilege; + * only a few to grant it. + */ +int +priv_check_cred(struct ucred *cred, int priv, int flags) +{ + int error; + + KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege %d", + priv)); + +#ifdef MAC + error = mac_priv_check(cred, priv); + if (error) + return (error); +#endif + + /* + * Jail policy will restrict certain privileges that may otherwise be + * be granted. + * + * While debugging the transition from SUSER_ALLOWJAIL to Jail being + * aware of specific privileges, perform run-time checking that the + * two versions of the policy align. This assertion will go away + * once the SUSER_ALLOWJAIL flag has gone away. + */ + error = prison_priv_check(cred, priv); +#ifdef NOTYET + KASSERT(!jailed(cred) || error == ((flags & SUSER_ALLOWJAIL) ? 0 : + EPERM), ("priv_check_cred: prison_priv_check %d but flags %s", + error, flags & SUSER_ALLOWJAIL ? "allowjail" : "!allowjail")); +#endif + if (error) + return (error); + + /* + * Having determined if privilege is restricted by various policies, + * now determine if privilege is granted. For now, we allow + * short-circuit boolean evaluation, so may not call all policies. + * Perhaps we should. + * + * Superuser policy grants privilege based on the effective (or in + * certain edge cases, real) uid being 0. We allow the policy to be + * globally disabled, although this is currently of limited utility. + */ + if (suser_enabled) { + if (flags & SUSER_RUID) { + if (cred->cr_ruid == 0) + return (0); + } else { + if (cred->cr_uid == 0) + return (0); + } + } + + /* + * Now check with MAC, if enabled, to see if a policy module grants + * privilege. + */ +#ifdef MAC + if (mac_priv_grant(cred, priv) == 0) + return (0); +#endif + return (EPERM); +} + +int +priv_check(struct thread *td, int priv) +{ + + KASSERT(td == curthread, ("priv_check: td != curthread")); + + return (priv_check_cred(td->td_ucred, priv, 0)); +} + +/* + * Historical suser() wrapper functions, which now simply request PRIV_ROOT. + * These will be removed in the near future, and exist solely because + * the kernel and modules are not yet fully adapted to the new model. + */ +int +suser_cred(struct ucred *cred, int flags) +{ + + return (priv_check_cred(cred, PRIV_ROOT, flags)); +} + +int +suser(struct thread *td) +{ + + KASSERT(td == curthread, ("suser: td != curthread")); + + return (suser_cred(td->td_ucred, 0)); +} Index: sys/kern/kern_prot.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_prot.c,v retrieving revision 1.205 diff -u -r1.205 kern_prot.c --- sys/kern/kern_prot.c 22 Oct 2006 11:52:13 -0000 1.205 +++ sys/kern/kern_prot.c 30 Oct 2006 17:07:55 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -547,7 +548,8 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETUID, + SUSER_ALLOWJAIL)) != 0) goto fail; /* @@ -563,7 +565,8 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* Use the clause from B.4.2.2 */ uid == oldcred->cr_uid || #endif - suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ + /* We are using privs. */ + priv_check_cred(oldcred, PRIV_CRED_SETUID, SUSER_ALLOWJAIL) == 0) #endif { /* @@ -639,7 +642,8 @@ if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEUID, + SUSER_ALLOWJAIL)) != 0) goto fail; /* @@ -711,7 +715,8 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETGID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -724,7 +729,8 @@ #ifdef POSIX_APPENDIX_B_4_2_2 /* use the clause from B.4.2.2 */ gid == oldcred->cr_groups[0] || #endif - suser_cred(oldcred, SUSER_ALLOWJAIL) == 0) /* we are using privs */ + /* We are using privs. */ + priv_check_cred(oldcred, PRIV_CRED_SETGID, SUSER_ALLOWJAIL) == 0) #endif { /* @@ -796,7 +802,8 @@ if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETEGID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -859,7 +866,8 @@ goto fail; #endif - error = suser_cred(oldcred, SUSER_ALLOWJAIL); + error = priv_check_cred(oldcred, PRIV_CRED_SETGROUPS, + SUSER_ALLOWJAIL); if (error) goto fail; @@ -931,7 +939,8 @@ ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREUID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -999,7 +1008,8 @@ rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETREGID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1079,7 +1089,8 @@ (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESUID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1160,7 +1171,8 @@ (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + (error = priv_check_cred(oldcred, PRIV_CRED_SETRESGID, + SUSER_ALLOWJAIL)) != 0) goto fail; crcopy(newcred, oldcred); @@ -1324,65 +1336,14 @@ } /* - * `suser_enabled' (which can be set by the security.suser_enabled - * sysctl) determines whether the system 'super-user' policy is in effect. - * If it is nonzero, an effective uid of 0 connotes special privilege, - * overriding many mandatory and discretionary protections. If it is zero, - * uid 0 is offered no special privilege in the kernel security policy. - * Setting it to zero may seriously impact the functionality of many - * existing userland programs, and should not be done without careful - * consideration of the consequences. - */ -int suser_enabled = 1; -SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, - &suser_enabled, 0, "processes with uid 0 have privilege"); -TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); - -/* - * Test whether the specified credentials imply "super-user" privilege. - * Return 0 or EPERM. - */ -int -suser_cred(struct ucred *cred, int flag) -{ - - if (!suser_enabled) - return (EPERM); - if (((flag & SUSER_RUID) ? cred->cr_ruid : cred->cr_uid) != 0) - return (EPERM); - if (jailed(cred) && !(flag & SUSER_ALLOWJAIL)) - return (EPERM); - return (0); -} - -/* - * Shortcut to hide contents of struct td and struct proc from the - * caller, promoting binary compatibility. - */ -int -suser(struct thread *td) -{ - -#ifdef INVARIANTS - if (td != curthread) { - printf("suser: thread %p (%d %s) != curthread %p (%d %s)\n", - td, td->td_proc->p_pid, td->td_proc->p_comm, - curthread, curthread->td_proc->p_pid, - curthread->td_proc->p_comm); -#ifdef KDB - kdb_backtrace(); -#endif - } -#endif - return (suser_cred(td->td_ucred, 0)); -} - -/* * Test the active securelevel against a given level. securelevel_gt() * implements (securelevel > level). securelevel_ge() implements * (securelevel >= level). Note that the logic is inverted -- these * functions return EPERM on "success" and 0 on "failure". * + * XXXRW: Possibly since this has to do with privilege, it should move to + * kern_priv.c. + * * MPSAFE */ int @@ -1435,7 +1396,8 @@ { if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, SUSER_ALLOWJAIL) + != 0) return (ESRCH); } return (0); @@ -1474,7 +1436,8 @@ break; } if (!match) { - if (suser_cred(u1, SUSER_ALLOWJAIL) != 0) + if (priv_check_cred(u1, PRIV_SEEOTHERGIDS, + SUSER_ALLOWJAIL) != 0) return (ESRCH); } } @@ -1591,7 +1554,8 @@ break; default: /* Not permitted without privilege. */ - error = suser_cred(cred, SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_SUGID, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -1606,7 +1570,8 @@ cred->cr_uid != proc->p_ucred->cr_ruid && cred->cr_uid != proc->p_ucred->cr_svuid) { /* Not permitted without privilege. */ - error = suser_cred(cred, SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_SIGNAL_DIFFCRED, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -1614,7 +1579,6 @@ return (0); } - /*- * Determine whether td may deliver the specified signal to p. * Returns: 0 for permitted, an errno value otherwise @@ -1683,19 +1647,14 @@ return (error); if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) return (error); - if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) - return (0); - if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) - return (0); - if (suser_cred(td->td_ucred, SUSER_ALLOWJAIL) == 0) - return (0); - -#ifdef CAPABILITIES - if (!cap_check(NULL, td, CAP_SYS_NICE, SUSER_ALLOWJAIL)) - return (0); -#endif - - return (EPERM); + if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && + td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { + error = priv_check_cred(td->td_ucred, PRIV_SCHED_DIFFCRED, + SUSER_ALLOWJAIL); + if (error) + return (error); + } + return (0); } /* @@ -1730,7 +1689,8 @@ KASSERT(td == curthread, ("%s: td not curthread", __func__)); PROC_LOCK_ASSERT(p, MA_OWNED); if (!unprivileged_proc_debug) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_DEBUG_UNPRIV, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -1778,11 +1738,18 @@ /* * If p's gids aren't a subset, or the uids aren't a subset, * or the credential has changed, require appropriate privilege - * for td to debug p. For POSIX.1e capabilities, this will - * require CAP_SYS_PTRACE. + * for td to debug p. */ - if (!grpsubset || !uidsubset || credentialchanged) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + if (!grpsubset || !uidsubset) { + error = priv_check_cred(td->td_ucred, PRIV_DEBUG_DIFFCRED, + SUSER_ALLOWJAIL); + if (error) + return (error); + } + + if (credentialchanged) { + error = priv_check_cred(td->td_ucred, PRIV_DEBUG_SUGID, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -1796,6 +1763,7 @@ /* * Can't trace a process that's currently exec'ing. + * * XXX: Note, this is not a security policy decision, it's a * basic correctness/functionality decision. Therefore, this check * should be moved to the caller's of p_candebug(). @@ -2057,7 +2025,8 @@ int error; char logintmp[MAXLOGNAME]; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_PROC_SETLOGIN, + SUSER_ALLOWJAIL); if (error) return (error); error = copyinstr(uap->namebuf, logintmp, sizeof(logintmp), NULL); Index: sys/kern/kern_resource.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_resource.c,v retrieving revision 1.161 diff -u -r1.161 kern_resource.c --- sys/kern/kern_resource.c 26 Oct 2006 21:42:19 -0000 1.161 +++ sys/kern/kern_resource.c 30 Oct 2006 17:07:55 -0000 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -264,7 +265,7 @@ n = PRIO_MAX; if (n < PRIO_MIN) n = PRIO_MIN; - if (n < p->p_nice && suser(td) != 0) + if (n < p->p_nice && priv_check(td, PRIV_SCHED_SETPRIORITY) != 0) return (EACCES); mtx_lock_spin(&sched_lock); sched_nice(p, n); @@ -468,7 +469,7 @@ break; /* Disallow setting rtprio in most cases if not superuser. */ - if (suser(td) != 0) { + if (priv_check(td, PRIV_SCHED_RTPRIO) != 0) { /* can't set someone else's */ if (uap->pid) { error = EPERM; @@ -754,7 +755,8 @@ alimp = &oldlim->pl_rlimit[which]; if (limp->rlim_cur > alimp->rlim_max || limp->rlim_max > alimp->rlim_max) - if ((error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL))) { + if ((error = priv_check_cred(td->td_ucred, + PRIV_PROC_SETRLIMIT, SUSER_ALLOWJAIL))) { PROC_UNLOCK(p); lim_free(newlim); return (error); Index: sys/kern/kern_shutdown.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_shutdown.c,v retrieving revision 1.179 diff -u -r1.179 kern_shutdown.c --- sys/kern/kern_shutdown.c 22 Oct 2006 11:52:13 -0000 1.179 +++ sys/kern/kern_shutdown.c 30 Oct 2006 17:07:55 -0000 @@ -55,6 +55,7 @@ #include #include #include +#include #include #include #include @@ -164,7 +165,7 @@ error = mac_check_system_reboot(td->td_ucred, uap->opt); #endif if (error == 0) - error = suser(td); + error = priv_check(td, PRIV_REBOOT); if (error == 0) { mtx_lock(&Giant); boot(uap->opt); Index: sys/kern/kern_sysctl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_sysctl.c,v retrieving revision 1.171 diff -u -r1.171 kern_sysctl.c --- sys/kern/kern_sysctl.c 22 Oct 2006 11:52:13 -0000 1.171 +++ sys/kern/kern_sysctl.c 30 Oct 2006 17:07:55 -0000 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -512,7 +513,7 @@ { int error; - error = suser(req->td); + error = priv_check(req->td, PRIV_SYSCTL_DEBUG); if (error) return (error); sysctl_sysctl_debug_dump_node(&sysctl__children, 0); @@ -1253,13 +1254,11 @@ /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { - int flags; - if (oid->oid_kind & CTLFLAG_PRISON) - flags = SUSER_ALLOWJAIL; + error = priv_check_cred(req->td->td_ucred, + PRIV_SYSCTL_WRITEJAIL, SUSER_ALLOWJAIL); else - flags = 0; - error = suser_cred(req->td->td_ucred, flags); + error = priv_check(req->td, PRIV_SYSCTL_WRITE); if (error) return (error); } Index: sys/kern/kern_thr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_thr.c,v retrieving revision 1.54 diff -u -r1.54 kern_thr.c --- sys/kern/kern_thr.c 26 Oct 2006 21:42:20 -0000 1.54 +++ sys/kern/kern_thr.c 30 Oct 2006 17:07:55 -0000 @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -164,7 +165,7 @@ case RTP_PRIO_REALTIME: case RTP_PRIO_FIFO: /* Only root can set scheduler policy */ - if (suser(td) != 0) + if (priv_check(td, PRIV_SCHED_SETPOLICY) != 0) return (EPERM); if (rtp->prio > RTP_PRIO_MAX) return (EINVAL); Index: sys/kern/kern_time.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_time.c,v retrieving revision 1.134 diff -u -r1.134 kern_time.c --- sys/kern/kern_time.c 22 Oct 2006 11:52:13 -0000 1.134 +++ sys/kern/kern_time.c 30 Oct 2006 17:07:55 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -286,7 +287,7 @@ if (error) return (error); #endif - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_CLOCK_SETTIME)) != 0) return (error); if (clock_id != CLOCK_REALTIME) return (EINVAL); @@ -504,7 +505,7 @@ if (error) return (error); #endif - error = suser(td); + error = priv_check(td, PRIV_SETTIMEOFDAY); if (error) return (error); /* Verify all parameters before changing time. */ Index: sys/kern/kern_umtx.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_umtx.c,v retrieving revision 1.53 diff -u -r1.53 kern_umtx.c --- sys/kern/kern_umtx.c 26 Oct 2006 21:42:20 -0000 1.53 +++ sys/kern/kern_umtx.c 30 Oct 2006 17:07:55 -0000 @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -1813,7 +1814,7 @@ if ((error = umtx_key_get(m, TYPE_PP_UMUTEX, GET_SHARE(flags), &uq->uq_key)) != 0) return (error); - su = (suser(td) == 0); + su = (priv_check(td, PRIV_SCHED_RTPRIO) == 0); for (;;) { old_inherited_pri = uq->uq_inherited_pri; umtxq_lock(&uq->uq_key); @@ -1934,7 +1935,7 @@ id = td->td_tid; uq = td->td_umtxq; - su = (suser(td) == 0); + su = (priv_check(td, PRIV_SCHED_RTPRIO) == 0); /* * Make sure we own this mtx. Index: sys/kern/kern_xxx.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/kern_xxx.c,v retrieving revision 1.46 diff -u -r1.46 kern_xxx.c --- sys/kern/kern_xxx.c 6 Jan 2005 23:35:39 -0000 1.46 +++ sys/kern/kern_xxx.c 30 Oct 2006 17:07:55 -0000 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -139,7 +140,8 @@ { int error; - if ((error = suser(td))) + error = priv_check(td, PRIV_SETHOSTID); + if (error) return (error); mtx_lock(&Giant); hostid = uap->hostid; @@ -295,9 +297,10 @@ { int error, domainnamelen; + error = priv_check(td, PRIV_SETDOMAINNAME); + if (error) + return (error); mtx_lock(&Giant); - if ((error = suser(td))) - goto done2; if ((u_int)uap->len > sizeof (domainname) - 1) { error = EINVAL; goto done2; @@ -309,4 +312,3 @@ mtx_unlock(&Giant); return (error); } - Index: sys/kern/subr_acl_posix1e.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/subr_acl_posix1e.c,v retrieving revision 1.50 diff -u -r1.50 subr_acl_posix1e.c --- sys/kern/subr_acl_posix1e.c 23 Jul 2006 19:35:10 -0000 1.50 +++ sys/kern/subr_acl_posix1e.c 31 Oct 2006 08:30:24 -0000 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -46,9 +47,9 @@ /* * Implement a version of vaccess() that understands POSIX.1e ACL semantics; - * the access ACL has already been prepared for evaluation by the file - * system and is passed via 'uid', 'gid', and 'acl'. Return 0 on success, - * else an errno value. + * the access ACL has already been prepared for evaluation by the file system + * and is passed via 'uid', 'gid', and 'acl'. Return 0 on success, else an + * errno value. */ int vaccess_acl_posix1e(enum vtype type, uid_t file_uid, gid_t file_gid, @@ -56,14 +57,14 @@ { struct acl_entry *acl_other, *acl_mask; mode_t dac_granted; - mode_t cap_granted; + mode_t priv_granted; mode_t acl_mask_granted; int group_matched, i; /* * Look for a normal, non-privileged way to access the file/directory * as requested. If it exists, go with that. Otherwise, attempt to - * use privileges granted via cap_granted. In some cases, which + * use privileges granted via priv_granted. In some cases, which * privileges to use may be ambiguous due to "best match", in which * case fall back on first match for the time being. */ @@ -72,40 +73,34 @@ /* * Determine privileges now, but don't apply until we've found a DAC - * entry that matches but has failed to allow access. POSIX.1e - * capabilities are not implemented, but we document how they would - * behave here if implemented. - */ -#ifndef CAPABILITIES - if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) - cap_granted = VALLPERM; - else - cap_granted = 0; -#else - cap_granted = 0; + * entry that matches but has failed to allow access. + * + * XXXRW: Ideally, we'd determine the privileges required before + * asking for them. + */ + priv_granted = 0; if (type == VDIR) { - if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + if ((acc_mode & VEXEC) && !priv_check_cred(cred, + PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } else { - if ((acc_mode & VEXEC) && !cap_check(cred, NULL, - CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + if ((acc_mode & VEXEC) && !priv_check_cred(cred, + PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } - if ((acc_mode & VREAD) && !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, + if ((acc_mode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL)) - cap_granted |= VREAD; + priv_granted |= VREAD; if (((acc_mode & VWRITE) || (acc_mode & VAPPEND)) && - !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) - cap_granted |= (VWRITE | VAPPEND); + !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + priv_granted |= (VWRITE | VAPPEND); - if ((acc_mode & VADMIN) && !cap_check(cred, NULL, CAP_FOWNER, + if ((acc_mode & VADMIN) && !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)) - cap_granted |= VADMIN; -#endif /* CAPABILITIES */ + priv_granted |= VADMIN; /* * The owner matches if the effective uid associated with the @@ -129,7 +124,11 @@ dac_granted |= (VWRITE | VAPPEND); if ((acc_mode & dac_granted) == acc_mode) return (0); - if ((acc_mode & (dac_granted | cap_granted)) == + + /* + * XXXRW: Do privilege lookup here. + */ + if ((acc_mode & (dac_granted | priv_granted)) == acc_mode) { if (privused != NULL) *privused = 1; @@ -183,13 +182,9 @@ acl_mask_granted = VEXEC | VREAD | VWRITE | VAPPEND; /* - * Iterate through user ACL entries. Do checks twice, first without - * privilege, and then if a match is found but failed, a second time - * with privilege. - */ - - /* - * Check ACL_USER ACL entries. + * Check ACL_USER ACL entries. There will either be one or no + * matches; if there is one, we accept or rejected based on the + * match; otherwise, we continue on to groups. */ for (i = 0; i < acl->acl_cnt; i++) { switch (acl->acl_entry[i].ae_tag) { @@ -206,7 +201,10 @@ dac_granted &= acl_mask_granted; if ((acc_mode & dac_granted) == acc_mode) return (0); - if ((acc_mode & (dac_granted | cap_granted)) != + /* + * XXXRW: Do privilege lookup here. + */ + if ((acc_mode & (dac_granted | priv_granted)) != acc_mode) goto error; @@ -286,8 +284,11 @@ dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; - if ((acc_mode & (dac_granted | cap_granted)) != - acc_mode) + /* + * XXXRW: Do privilege lookup here. + */ + if ((acc_mode & (dac_granted | priv_granted)) + != acc_mode) break; if (privused != NULL) @@ -307,8 +308,11 @@ dac_granted |= (VWRITE | VAPPEND); dac_granted &= acl_mask_granted; - if ((acc_mode & (dac_granted | cap_granted)) != - acc_mode) + /* + * XXXRW: Do privilege lookup here. + */ + if ((acc_mode & (dac_granted | priv_granted)) + != acc_mode) break; if (privused != NULL) @@ -339,7 +343,10 @@ if ((acc_mode & dac_granted) == acc_mode) return (0); - if ((acc_mode & (dac_granted | cap_granted)) == acc_mode) { + /* + * XXXRW: Do privilege lookup here. + */ + if ((acc_mode & (dac_granted | priv_granted)) == acc_mode) { if (privused != NULL) *privused = 1; return (0); Index: sys/kern/subr_firmware.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/subr_firmware.c,v retrieving revision 1.5 diff -u -r1.5 subr_firmware.c --- sys/kern/subr_firmware.c 25 Jun 2006 12:36:21 -0000 1.5 +++ sys/kern/subr_firmware.c 30 Oct 2006 17:07:55 -0000 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -190,7 +191,8 @@ return NULL; } td = curthread; - if (suser(td) != 0 || securelevel_gt(td->td_ucred, 0) != 0) { + if (priv_check(td, PRIV_FIRMWARE_LOAD) != 0 || + securelevel_gt(td->td_ucred, 0) != 0) { printf("%s: insufficient privileges to " "load firmware image %s\n", __func__, imagename); return NULL; Index: sys/kern/subr_prf.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/subr_prf.c,v retrieving revision 1.125 diff -u -r1.125 subr_prf.c --- sys/kern/subr_prf.c 17 Sep 2006 20:00:35 -0000 1.125 +++ sys/kern/subr_prf.c 30 Oct 2006 17:07:55 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -870,7 +871,7 @@ int error, len; if (!unprivileged_read_msgbuf) { - error = suser(req->td); + error = priv_check(req->td, PRIV_MSGBUF); if (error) return (error); } Index: sys/kern/subr_witness.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/subr_witness.c,v retrieving revision 1.218 diff -u -r1.218 subr_witness.c --- sys/kern/subr_witness.c 13 Sep 2006 15:48:15 -0000 1.218 +++ sys/kern/subr_witness.c 30 Oct 2006 17:07:55 -0000 @@ -95,6 +95,7 @@ #include #include #include +#include #include #include #include @@ -533,7 +534,10 @@ error = sysctl_handle_int(oidp, &value, 0, req); if (error != 0 || req->newptr == NULL) return (error); - error = suser(req->td); + /* + * XXXRW: Why a priv check here? + */ + error = priv_check(req->td, PRIV_WITNESS); if (error != 0) return (error); if (value == witness_watch) Index: sys/kern/sysv_ipc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/sysv_ipc.c,v retrieving revision 1.29 diff -u -r1.29 sysv_ipc.c --- sys/kern/sysv_ipc.c 6 Jan 2005 23:35:39 -0000 1.29 +++ sys/kern/sysv_ipc.c 31 Oct 2006 08:31:20 -0000 @@ -1,8 +1,12 @@ /* $NetBSD: sysv_ipc.c,v 1.7 1994/06/29 06:33:11 cgd Exp $ */ /*- * Copyright (c) 1994 Herb Peyerl + * Copyright (c) 2006 nCircle Network Security, Inc. * All rights reserved. * + * This software was developed by Robert N. M. Watson for the TrustedBSD + * Project under contract to nCircle Network Security, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -39,6 +43,7 @@ #include #include #include +#include #include #include @@ -72,50 +77,73 @@ * Note: The MAC Framework does not require any modifications to the * ipcperm() function, as access control checks are performed throughout the * implementation of each primitive. Those entry point calls complement the - * ipcperm() discertionary checks. + * ipcperm() discertionary checks. Unlike file system discretionary access + * control, the original create of an object is given the same rights as the + * current owner. */ int -ipcperm(td, perm, mode) - struct thread *td; - struct ipc_perm *perm; - int mode; +ipcperm(struct thread *td, struct ipc_perm *perm, int acc_mode) { struct ucred *cred = td->td_ucred; - int error; + int error, obj_mode, dac_granted, priv_granted; - if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) { - /* - * For a non-create/owner, we require privilege to - * modify the object protections. Note: some other - * implementations permit IPC_M to be delegated to - * unprivileged non-creator/owner uids/gids. - */ - if (mode & IPC_M) { - error = suser(td); - if (error) - return (error); - } - /* - * Try to match against creator/owner group; if not, fall - * back on other. - */ - mode >>= 3; - if (!groupmember(perm->gid, cred) && - !groupmember(perm->cgid, cred)) - mode >>= 3; + dac_granted = 0; + if (cred->cr_uid == perm->cuid || cred->cr_uid == perm->uid) { + obj_mode = perm->mode; + dac_granted |= IPC_M; + } else if (groupmember(perm->gid, cred) || + groupmember(perm->cgid, cred)) { + obj_mode = perm->mode; + obj_mode <<= 3; } else { - /* - * Always permit the creator/owner to update the object - * protections regardless of whether the object mode - * permits it. - */ - if (mode & IPC_M) - return (0); + obj_mode = perm->mode; + obj_mode <<= 6; + } + + /* + * While the System V IPC permission model allows IPC_M to be + * granted, as part of the mode, our implementation requires + * privilege to adminster the object if not the owner or creator. + */ +#if 0 + if (obj_mode & IPC_M) + dac_granted |= IPC_M; +#endif + if (obj_mode & IPC_R) + dac_granted |= IPC_R; + if (obj_mode & IPC_W) + dac_granted |= IPC_W; + + /* + * Simple case: all required rights are granted by DAC. + */ + if ((dac_granted & acc_mode) == acc_mode) + return (0); + + /* + * Privilege is required to satisfy the request. + */ + priv_granted = 0; + if ((acc_mode & IPC_M) && !(dac_granted & IPC_M)) { + error = priv_check(td, PRIV_IPC_ADMIN); + if (error == 0) + priv_granted |= IPC_M; } - if ((mode & perm->mode) != mode) { - if (suser(td) != 0) - return (EACCES); + if ((acc_mode & IPC_R) && !(dac_granted & IPC_R)) { + error = priv_check(td, PRIV_IPC_READ); + if (error == 0) + priv_granted |= IPC_R; } - return (0); + + if ((acc_mode & IPC_W) && !(dac_granted & IPC_W)) { + error = priv_check(td, PRIV_IPC_WRITE); + if (error == 0) + priv_granted |= IPC_W; + } + + if (((dac_granted | priv_granted) & acc_mode) == acc_mode) + return (0); + else + return (EACCES); } Index: sys/kern/sysv_msg.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/sysv_msg.c,v retrieving revision 1.63 diff -u -r1.63 sysv_msg.c --- sys/kern/sysv_msg.c 22 Oct 2006 11:52:13 -0000 1.63 +++ sys/kern/sysv_msg.c 30 Oct 2006 17:07:55 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -507,7 +508,7 @@ if ((error = ipcperm(td, &msqkptr->u.msg_perm, IPC_M))) goto done2; if (msqbuf->msg_qbytes > msqkptr->u.msg_qbytes) { - error = suser(td); + error = priv_check(td, PRIV_IPC_MSGSIZE); if (error) goto done2; } Index: sys/kern/tty.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/tty.c,v retrieving revision 1.262 diff -u -r1.262 tty.c --- sys/kern/tty.c 26 Oct 2006 21:42:20 -0000 1.262 +++ sys/kern/tty.c 30 Oct 2006 17:07:55 -0000 @@ -86,6 +86,7 @@ #if defined(COMPAT_43TTY) #include #endif +#include #include #define TTYDEFCHARS #include @@ -1020,7 +1021,7 @@ break; case TIOCMSDTRWAIT: /* must be root since the wait applies to following logins */ - error = suser(td); + error = priv_check(td, PRIV_TTY_DTRWAIT); if (error) return (error); tp->t_dtr_wait = *(int *)data * hz / 100; @@ -1169,9 +1170,9 @@ splx(s); break; case TIOCSTI: /* simulate terminal input */ - if ((flag & FREAD) == 0 && suser(td)) + if ((flag & FREAD) == 0 && priv_check(td, PRIV_TTY_STI)) return (EPERM); - if (!isctty(p, tp) && suser(td)) + if (!isctty(p, tp) && priv_check(td, PRIV_TTY_STI)) return (EACCES); s = spltty(); ttyld_rint(tp, *(u_char *)data); @@ -1244,7 +1245,7 @@ } break; case TIOCSDRAINWAIT: - error = suser(td); + error = priv_check(td, PRIV_TTY_DRAINWAIT); if (error) return (error); tp->t_timeout = *(int *)data * hz; @@ -3114,7 +3115,8 @@ goto out; goto open_top; } - if (tp->t_state & TS_XCLUDE && suser(td)) + if (tp->t_state & TS_XCLUDE && priv_check(td, + PRIV_TTY_EXCLUSIVE)) return (EBUSY); } else { /* @@ -3340,7 +3342,7 @@ ct = dev->si_drv2; switch (cmd) { case TIOCSETA: - error = suser(td); + error = priv_check(td, PRIV_TTY_SETA); if (error != 0) return (error); *ct = *(struct termios *)data; Index: sys/kern/tty_cons.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/tty_cons.c,v retrieving revision 1.135 diff -u -r1.135 tty_cons.c --- sys/kern/tty_cons.c 26 May 2006 11:00:20 -0000 1.135 +++ sys/kern/tty_cons.c 30 Oct 2006 17:07:55 -0000 @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include @@ -506,7 +507,7 @@ * output from the "virtual" console. */ if (cmd == TIOCCONS && constty) { - error = suser(td); + error = priv_check(td, PRIV_TTY_CONSOLE); if (error) return (error); constty = NULL; Index: sys/kern/tty_pts.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/tty_pts.c,v retrieving revision 1.10 diff -u -r1.10 tty_pts.c --- sys/kern/tty_pts.c 29 Sep 2006 09:53:19 -0000 1.10 +++ sys/kern/tty_pts.c 30 Oct 2006 17:07:55 -0000 @@ -56,6 +56,7 @@ #if defined(COMPAT_43TTY) #include #endif +#include #include #include #include @@ -268,9 +269,11 @@ tp = dev->si_tty; if ((tp->t_state & TS_ISOPEN) == 0) ttyinitmode(tp, 1, 0); - else if (tp->t_state & TS_XCLUDE && suser(td)) { + else if (tp->t_state & TS_XCLUDE && priv_check(td, + PRIV_TTY_EXCLUSIVE)) { return (EBUSY); - } else if (pt->pt_prison != td->td_ucred->cr_prison && suser(td)) { + } else if (pt->pt_prison != td->td_ucred->cr_prison && + priv_check(td, PRIV_TTY_PRISON)) { return (EBUSY); } if (tp->t_oproc) /* Ctrlr still around. */ Index: sys/kern/tty_pty.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/tty_pty.c,v retrieving revision 1.150 diff -u -r1.150 tty_pty.c --- sys/kern/tty_pty.c 4 Oct 2006 05:43:39 -0000 1.150 +++ sys/kern/tty_pty.c 30 Oct 2006 17:07:55 -0000 @@ -46,6 +46,7 @@ #if defined(COMPAT_43TTY) #include #endif +#include #include #include #include @@ -207,9 +208,11 @@ if ((tp->t_state & TS_ISOPEN) == 0) { ttyinitmode(tp, 1, 0); - } else if (tp->t_state & TS_XCLUDE && suser(td)) + } else if (tp->t_state & TS_XCLUDE && priv_check(td, + PRIV_TTY_EXCLUSIVE)) return (EBUSY); - else if (pt->pt_prison != td->td_ucred->cr_prison && suser(td)) + else if (pt->pt_prison != td->td_ucred->cr_prison && + priv_check(td, PRIV_TTY_PRISON)) return (EBUSY); if (tp->t_oproc) /* Ctrlr still around. */ (void)ttyld_modem(tp, 1); Index: sys/kern/uipc_mqueue.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/uipc_mqueue.c,v retrieving revision 1.16 diff -u -r1.16 uipc_mqueue.c --- sys/kern/uipc_mqueue.c 26 Sep 2006 04:12:47 -0000 1.16 +++ sys/kern/uipc_mqueue.c 30 Oct 2006 17:07:55 -0000 @@ -65,6 +65,7 @@ #include #include #include +#include #include #include #include @@ -955,8 +956,12 @@ sx_assert(&pn->mn_info->mi_lock, SX_LOCKED); + /* + * XXXRW: Other instances of the message queue primitive are + * allowed in jail? + */ if (ucred->cr_uid != pn->mn_uid && - (error = suser_cred(ucred, 0)) != 0) + (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0) error = EACCES; else if (!pn->mn_deleted) { parent = pn->mn_parent; @@ -1207,10 +1212,16 @@ */ if ((error = VOP_ACCESS(vp, VADMIN, ap->a_cred, ap->a_td))) return (error); + + /* + * XXXRW: Why is there a privilege check here: shouldn't the + * check in VOP_ACCESS() be enough? Also, are the group bits + * below definitely right? + */ if (((ap->a_cred->cr_uid != pn->mn_uid) || uid != pn->mn_uid || (gid != pn->mn_gid && !groupmember(gid, ap->a_cred))) && - (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL)) - != 0) + (error = priv_check_cred(ap->a_td->td_ucred, + PRIV_MQ_ADMIN, SUSER_ALLOWJAIL)) != 0) return (error); pn->mn_uid = uid; pn->mn_gid = gid; @@ -1219,7 +1230,8 @@ if (vap->va_mode != (mode_t)VNOVAL) { if ((ap->a_cred->cr_uid != pn->mn_uid) && - (error = suser_cred(ap->a_td->td_ucred, SUSER_ALLOWJAIL))) + (error = priv_check_cred(ap->a_td->td_ucred, + PRIV_MQ_ADMIN, SUSER_ALLOWJAIL))) return (error); pn->mn_mode = vap->va_mode; c = 1; Index: sys/kern/uipc_sem.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/uipc_sem.c,v retrieving revision 1.25 diff -u -r1.25 uipc_sem.c --- sys/kern/uipc_sem.c 22 Oct 2006 11:52:13 -0000 1.25 +++ sys/kern/uipc_sem.c 30 Oct 2006 17:07:55 -0000 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -419,15 +420,23 @@ { struct ucred *uc; + /* + * XXXRW: This permission routine appears to be incorrect. If the + * user matches, we shouldn't go on to the group if the user + * permissions don't allow the action? Not changed for now. To fix, + * change from a series of if (); if (); to if () else if () else... + */ uc = td->td_ucred; DP(("sem_perm: uc(%d,%d) ks(%d,%d,%o)\n", uc->cr_uid, uc->cr_gid, ks->ks_uid, ks->ks_gid, ks->ks_mode)); - if ((uc->cr_uid == ks->ks_uid && (ks->ks_mode & S_IWUSR) != 0) || - (uc->cr_gid == ks->ks_gid && (ks->ks_mode & S_IWGRP) != 0) || - (ks->ks_mode & S_IWOTH) != 0 || suser(td) == 0) + if ((uc->cr_uid == ks->ks_uid) && (ks->ks_mode & S_IWUSR) != 0) + return (0); + if ((uc->cr_gid == ks->ks_gid) && (ks->ks_mode & S_IWGRP) != 0) + return (0); + if ((ks->ks_mode & S_IWOTH) != 0) return (0); - return (EPERM); + return (priv_check(td, PRIV_SEM_WRITE)); } static void Index: sys/kern/vfs_mount.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/vfs_mount.c,v retrieving revision 1.241 diff -u -r1.241 vfs_mount.c --- sys/kern/vfs_mount.c 22 Oct 2006 11:52:14 -0000 1.241 +++ sys/kern/vfs_mount.c 30 Oct 2006 17:07:55 -0000 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -808,23 +809,31 @@ if (jailed(td->td_ucred)) return (EPERM); if (usermount == 0) { - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_VFS_MOUNT)) != 0) return (error); } /* * Do not allow NFS export or MNT_SUIDDIR by unprivileged users. */ - if (fsflags & (MNT_EXPORTED | MNT_SUIDDIR)) { - if ((error = suser(td)) != 0) + if (fsflags & MNT_EXPORTED) { + error = priv_check(td, PRIV_VFS_MOUNT_EXPORTED); + if (error) return (error); } + if (fsflags & MNT_SUIDDIR) { + error = priv_check(td, PRIV_VFS_MOUNT_SUIDDIR); + if (error) + return (error); + + } /* - * Silently enforce MNT_NOSUID and MNT_USER for - * unprivileged users. + * Silently enforce MNT_NOSUID and MNT_USER for unprivileged users. */ - if (suser(td) != 0) - fsflags |= MNT_NOSUID | MNT_USER; + if ((fsflags & (MNT_NOSUID | MNT_USER)) != (MNT_NOSUID | MNT_USER)) { + if (priv_check(td, PRIV_VFS_MOUNT_NONUSER) != 0) + fsflags |= MNT_NOSUID | MNT_USER; + } /* Load KLDs before we lock the covered vnode to avoid reversals. */ vfsp = NULL; @@ -906,7 +915,9 @@ return (error); } if (va.va_uid != td->td_ucred->cr_uid) { - if ((error = suser(td)) != 0) { + error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL); + if (error) { vput(vp); return (error); } @@ -1078,7 +1089,8 @@ if (jailed(td->td_ucred)) return (EPERM); if (usermount == 0) { - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_VFS_UNMOUNT); + if (error) return (error); } Index: sys/kern/vfs_subr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/vfs_subr.c,v retrieving revision 1.686 diff -u -r1.686 vfs_subr.c --- sys/kern/vfs_subr.c 22 Oct 2006 11:52:14 -0000 1.686 +++ sys/kern/vfs_subr.c 30 Oct 2006 17:07:55 -0000 @@ -61,6 +61,7 @@ #include #include #include +#include #include #include #include @@ -412,7 +413,7 @@ if ((mp->mnt_flag & MNT_USER) == 0 || mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) { - if ((error = suser(td)) != 0) + if ((error = priv_check(td, PRIV_VFS_MOUNT_OWNER)) != 0) return (error); } return (0); @@ -3176,9 +3177,7 @@ mode_t acc_mode, struct ucred *cred, int *privused) { mode_t dac_granted; -#ifdef CAPABILITIES - mode_t cap_granted; -#endif + mode_t priv_granted; /* * Look for a normal, non-privileged way to access the file/directory @@ -3232,59 +3231,46 @@ return (0); privcheck: - if (!suser_cred(cred, SUSER_ALLOWJAIL)) { - /* XXX audit: privilege used */ - if (privused != NULL) - *privused = 1; - return (0); - } - -#ifdef CAPABILITIES /* - * Build a capability mask to determine if the set of capabilities + * Build a privilege mask to determine if the set of privileges * satisfies the requirements when combined with the granted mask - * from above. For each capability, if the capability is required, - * bitwise or the request type onto the cap_granted mask. - * - * Note: This is never actually used, but is here for reference - * purposes. + * from above. For each privilege, if the privilege is required, + * bitwise or the request type onto the priv_granted mask. */ - cap_granted = 0; + priv_granted = 0; if (type == VDIR) { /* - * For directories, use CAP_DAC_READ_SEARCH to satisfy - * VEXEC requests, instead of CAP_DAC_EXECUTE. + * For directories, use PRIV_VFS_LOOKUP to satisfy VEXEC + * requests, instead of PRIV_VFS_EXEC. */ if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, - SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + !priv_check_cred(cred, PRIV_VFS_LOOKUP, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } else { if ((acc_mode & VEXEC) && ((dac_granted & VEXEC) == 0) && - !cap_check(cred, NULL, CAP_DAC_EXECUTE, SUSER_ALLOWJAIL)) - cap_granted |= VEXEC; + !priv_check_cred(cred, PRIV_VFS_EXEC, SUSER_ALLOWJAIL)) + priv_granted |= VEXEC; } if ((acc_mode & VREAD) && ((dac_granted & VREAD) == 0) && - !cap_check(cred, NULL, CAP_DAC_READ_SEARCH, SUSER_ALLOWJAIL)) - cap_granted |= VREAD; + !priv_check_cred(cred, PRIV_VFS_READ, SUSER_ALLOWJAIL)) + priv_granted |= VREAD; if ((acc_mode & VWRITE) && ((dac_granted & VWRITE) == 0) && - !cap_check(cred, NULL, CAP_DAC_WRITE, SUSER_ALLOWJAIL)) - cap_granted |= (VWRITE | VAPPEND); + !priv_check_cred(cred, PRIV_VFS_WRITE, SUSER_ALLOWJAIL)) + priv_granted |= (VWRITE | VAPPEND); if ((acc_mode & VADMIN) && ((dac_granted & VADMIN) == 0) && - !cap_check(cred, NULL, CAP_FOWNER, SUSER_ALLOWJAIL)) - cap_granted |= VADMIN; + !priv_check_cred(cred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL)) + priv_granted |= VADMIN; - if ((acc_mode & (cap_granted | dac_granted)) == acc_mode) { + if ((acc_mode & (priv_granted | dac_granted)) == acc_mode) { /* XXX audit: privilege used */ if (privused != NULL) *privused = 1; return (0); } -#endif return ((acc_mode & VADMIN) ? EPERM : EACCES); } @@ -3305,16 +3291,13 @@ return (0); /* - * Do not allow privileged processes in jail to directly - * manipulate system attributes. - * - * XXX What capability should apply here? - * Probably CAP_SYS_SETFFLAG. + * Do not allow privileged processes in jail to directly manipulate + * system attributes. */ switch (attrnamespace) { case EXTATTR_NAMESPACE_SYSTEM: /* Potentially should be: return (EPERM); */ - return (suser_cred(cred, 0)); + return (priv_check_cred(cred, PRIV_VFS_EXTATTR_SYSTEM, 0)); case EXTATTR_NAMESPACE_USER: return (VOP_ACCESS(vp, access, cred, td)); default: Index: sys/kern/vfs_syscalls.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.427 diff -u -r1.427 vfs_syscalls.c --- sys/kern/vfs_syscalls.c 26 Oct 2006 13:20:28 -0000 1.427 +++ sys/kern/vfs_syscalls.c 30 Oct 2006 17:07:55 -0000 @@ -60,6 +60,7 @@ #include #include #include +#include #include #include #include @@ -272,7 +273,7 @@ error = VFS_STATFS(mp, sp, td); if (error) goto out; - if (suser(td)) { + if (priv_check(td, PRIV_VFS_GENERATION)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; prison_enforce_statfs(td->td_ucred, mp, &sb); @@ -357,7 +358,7 @@ error = VFS_STATFS(mp, sp, td); if (error) goto out; - if (suser(td)) { + if (priv_check(td, PRIV_VFS_GENERATION)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; prison_enforce_statfs(td->td_ucred, mp, &sb); @@ -468,7 +469,7 @@ vfs_unbusy(mp, td); continue; } - if (suser(td)) { + if (priv_check(td, PRIV_VFS_GENERATION)) { bcopy(sp, &sb, sizeof(sb)); sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0; prison_enforce_statfs(td->td_ucred, mp, &sb); @@ -842,7 +843,8 @@ struct nameidata nd; int vfslocked; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_VFS_CHROOT, + SUSER_ALLOWJAIL); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -896,8 +898,8 @@ /* * Common routine for kern_chroot() and jail_attach(). The caller is - * responsible for invoking suser() and mac_check_chroot() to authorize this - * operation. + * responsible for invoking priv_check() and mac_check_chroot() to authorize + * this operation. */ int change_root(vp, td) @@ -1186,10 +1188,16 @@ switch (mode & S_IFMT) { case S_IFCHR: case S_IFBLK: - error = suser(td); + error = priv_check(td, PRIV_VFS_MKNOD_DEV); + break; + case S_IFMT: + error = priv_check(td, PRIV_VFS_MKNOD_BAD); + break; + case S_IFWHT: + error = priv_check(td, PRIV_VFS_MKNOD_WHT); break; default: - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = EINVAL; break; } if (error) @@ -1234,8 +1242,7 @@ whiteout = 1; break; default: - error = EINVAL; - break; + panic("kern_mknod: invalid mode"); } } if (vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) { @@ -1390,9 +1397,6 @@ struct vattr va; int error; - if (suser_cred(cred, SUSER_ALLOWJAIL) == 0) - return (0); - if (!hardlink_check_uid && !hardlink_check_gid) return (0); @@ -1400,14 +1404,18 @@ if (error != 0) return (error); - if (hardlink_check_uid) { - if (cred->cr_uid != va.va_uid) - return (EPERM); + if (hardlink_check_uid && cred->cr_uid != va.va_uid) { + error = priv_check_cred(cred, PRIV_VFS_LINK, + SUSER_ALLOWJAIL); + if (error) + return (error); } - if (hardlink_check_gid) { - if (!groupmember(va.va_gid, cred)) - return (EPERM); + if (hardlink_check_gid && !groupmember(va.va_gid, cred)) { + error = priv_check_cred(cred, PRIV_VFS_LINK, + SUSER_ALLOWJAIL); + if (error) + return (error); } return (0); @@ -2361,7 +2369,8 @@ * chown can't fail when done as root. */ if (vp->v_type == VCHR || vp->v_type == VBLK) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_VFS_CHFLAGS_DEV, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -3894,7 +3903,8 @@ if (error) goto out; if (td->td_ucred->cr_uid != vattr.va_uid) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL); if (error) goto out; } @@ -3960,7 +3970,7 @@ int vfslocked; int error; - error = suser(td); + error = priv_check(td, PRIV_VFS_GETFH); if (error) return (error); NDINIT(&nd, LOOKUP, NOFOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -3999,7 +4009,7 @@ int vfslocked; int error; - error = suser(td); + error = priv_check(td, PRIV_VFS_GETFH); if (error) return (error); NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | MPSAFE | AUDITVNODE1, @@ -4022,10 +4032,10 @@ } /* - * syscall for the rpc.lockd to use to translate a NFS file handle into - * an open descriptor. + * syscall for the rpc.lockd to use to translate a NFS file handle into an + * open descriptor. * - * warning: do not remove the suser() call or this becomes one giant + * warning: do not remove the priv_check() call or this becomes one giant * security hole. * * MP SAFE @@ -4058,7 +4068,7 @@ int vfslocked; int indx; - error = suser(td); + error = priv_check(td, PRIV_VFS_FHOPEN); if (error) return (error); fmode = FFLAGS(uap->flags); @@ -4242,7 +4252,7 @@ int vfslocked; int error; - error = suser(td); + error = priv_check(td, PRIV_VFS_FHSTAT); if (error) return (error); error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t)); @@ -4307,7 +4317,7 @@ int vfslocked; int error; - error = suser(td); + error = priv_check(td, PRIV_VFS_FHSTATFS); if (error) return (error); if ((mp = vfs_getvfs(&fh.fh_fsid)) == NULL) Index: sys/kern/vfs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/kern/vfs_vnops.c,v retrieving revision 1.245 diff -u -r1.245 vfs_vnops.c --- sys/kern/vfs_vnops.c 22 Oct 2006 11:52:14 -0000 1.245 +++ sys/kern/vfs_vnops.c 30 Oct 2006 17:07:55 -0000 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -709,7 +710,7 @@ sb->st_blksize = PAGE_SIZE; sb->st_flags = vap->va_flags; - if (suser(td)) + if (priv_check(td, PRIV_VFS_GENERATION)) sb->st_gen = 0; else sb->st_gen = vap->va_gen; Index: sys/net/bpf.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/bpf.c,v retrieving revision 1.173 diff -u -r1.173 bpf.c --- sys/net/bpf.c 22 Oct 2006 11:52:15 -0000 1.173 +++ sys/net/bpf.c 30 Oct 2006 17:07:55 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -1724,7 +1725,7 @@ * if the users who opened the devices were able to retrieve * the statistics for them, too. */ - error = suser(req->td); + error = priv_check(req->td, PRIV_NET_BPF); if (error) return (error); if (req->oldptr == NULL) Index: sys/net/if.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if.c,v retrieving revision 1.263 diff -u -r1.263 if.c --- sys/net/if.c 22 Oct 2006 11:52:15 -0000 1.263 +++ sys/net/if.c 30 Oct 2006 17:07:55 -0000 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -1489,7 +1490,7 @@ break; case SIOCSIFFLAGS: - error = suser(td); + error = priv_check(td, PRIV_NET_SETIFFLAGS); if (error) return (error); /* @@ -1532,7 +1533,7 @@ break; case SIOCSIFCAP: - error = suser(td); + error = priv_check(td, PRIV_NET_SETIFCAP); if (error) return (error); if (ifp->if_ioctl == NULL) @@ -1553,8 +1554,8 @@ #endif case SIOCSIFNAME: - error = suser(td); - if (error != 0) + error = priv_check(td, PRIV_NET_SETIFNAME); + if (error) return (error); error = copyinstr(ifr->ifr_data, new_name, IFNAMSIZ, NULL); if (error != 0) @@ -1600,7 +1601,7 @@ break; case SIOCSIFMETRIC: - error = suser(td); + error = priv_check(td, PRIV_NET_SETIFMETRIC); if (error) return (error); ifp->if_metric = ifr->ifr_metric; @@ -1608,7 +1609,7 @@ break; case SIOCSIFPHYS: - error = suser(td); + error = priv_check(td, PRIV_NET_SETIFPHYS); if (error) return (error); if (ifp->if_ioctl == NULL) @@ -1624,7 +1625,7 @@ { u_long oldmtu = ifp->if_mtu; - error = suser(td); + error = priv_check(td, PRIV_NET_SETIFMTU); if (error) return (error); if (ifr->ifr_mtu < IF_MINMTU || ifr->ifr_mtu > IF_MAXMTU) @@ -1651,7 +1652,10 @@ case SIOCADDMULTI: case SIOCDELMULTI: - error = suser(td); + if (cmd == SIOCADDMULTI) + error = priv_check(td, PRIV_NET_ADDMULTI); + else + error = priv_check(td, PRIV_NET_DELMULTI); if (error) return (error); @@ -1681,7 +1685,7 @@ case SIOCSLIFPHYADDR: case SIOCSIFMEDIA: case SIOCSIFGENERIC: - error = suser(td); + error = priv_check(td, PRIV_NET_HWIOCTL); if (error) return (error); if (ifp->if_ioctl == NULL) @@ -1710,7 +1714,7 @@ break; case SIOCSIFLLADDR: - error = suser(td); + error = priv_check(td, PRIV_NET_SETLLADDR); if (error) return (error); error = if_setlladdr(ifp, @@ -1721,7 +1725,7 @@ { struct ifgroupreq *ifgr = (struct ifgroupreq *)ifr; - error = suser(td); + error = priv_check(td, PRIV_NET_ADDIFGROUP); if (error) return (error); if ((error = if_addgroup(ifp, ifgr->ifgr_group))) @@ -1738,7 +1742,7 @@ { struct ifgroupreq *ifgr = (struct ifgroupreq *)ifr; - error = suser(td); + error = priv_check(td, PRIV_NET_DELIFGROUP); if (error) return (error); if ((error = if_delgroup(ifp, ifgr->ifgr_group))) @@ -1777,12 +1781,14 @@ switch (cmd) { case SIOCIFCREATE: case SIOCIFCREATE2: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_IFCREATE); + if (error) return (error); return (if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name), cmd == SIOCIFCREATE2 ? ifr->ifr_data : NULL)); case SIOCIFDESTROY: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_IFDESTROY); + if (error) return (error); return if_clone_destroy(ifr->ifr_name); Index: sys/net/if_bridge.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_bridge.c,v retrieving revision 1.82 diff -u -r1.82 if_bridge.c --- sys/net/if_bridge.c 9 Oct 2006 00:49:57 -0000 1.82 +++ sys/net/if_bridge.c 30 Oct 2006 17:07:55 -0000 @@ -101,6 +101,7 @@ #include #include #include +#include #include #include #include @@ -678,7 +679,7 @@ } if (bc->bc_flags & BC_F_SUSER) { - error = suser(td); + error = priv_check(td, PRIV_NET_BRIDGE); if (error) break; } Index: sys/net/if_gre.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_gre.c,v retrieving revision 1.44 diff -u -r1.44 if_gre.c --- sys/net/if_gre.c 4 Aug 2006 21:27:37 -0000 1.44 +++ sys/net/if_gre.c 30 Oct 2006 17:07:55 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -452,7 +453,11 @@ case SIOCSIFDSTADDR: break; case SIOCSIFFLAGS: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_SETIFFLAGS)) != 0) break; if ((ifr->ifr_flags & IFF_LINK0) != 0) sc->g_proto = IPPROTO_GRE; @@ -464,7 +469,11 @@ sc->wccp_ver = WCCP_V1; goto recompute; case SIOCSIFMTU: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_SETIFMTU)) != 0) break; if (ifr->ifr_mtu < 576) { error = EINVAL; @@ -476,8 +485,36 @@ ifr->ifr_mtu = GRE2IFP(sc)->if_mtu; break; case SIOCADDMULTI: + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_ADDMULTI)) != 0) + break; + if (ifr == 0) { + error = EAFNOSUPPORT; + break; + } + switch (ifr->ifr_addr.sa_family) { +#ifdef INET + case AF_INET: + break; +#endif +#ifdef INET6 + case AF_INET6: + break; +#endif + default: + error = EAFNOSUPPORT; + break; + } + break; case SIOCDELMULTI: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_DELIFGROUP)) != 0) break; if (ifr == 0) { error = EAFNOSUPPORT; @@ -498,7 +535,11 @@ } break; case GRESPROTO: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_GRE)) != 0) break; sc->g_proto = ifr->ifr_flags; switch (sc->g_proto) { @@ -518,8 +559,9 @@ break; case GRESADDRS: case GRESADDRD: - if ((error = suser(curthread)) != 0) - break; + error = priv_check(curthread, PRIV_NET_GRE); + if (error) + return (error); /* * set tunnel endpoints, compute a less specific route * to the remote end and mark if as up @@ -584,7 +626,11 @@ ifr->ifr_addr = *sa; break; case SIOCSIFPHYADDR: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_SETIFPHYS)) != 0) break; if (aifr->ifra_addr.sin_family != AF_INET || aifr->ifra_dstaddr.sin_family != AF_INET) { @@ -600,7 +646,11 @@ sc->g_dst = aifr->ifra_dstaddr.sin_addr; goto recompute; case SIOCSLIFPHYADDR: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_SETIFPHYS)) != 0) break; if (lifr->addr.ss_family != AF_INET || lifr->dstaddr.ss_family != AF_INET) { @@ -617,7 +667,11 @@ (satosin(&lifr->dstaddr))->sin_addr; goto recompute; case SIOCDIFPHYADDR: - if ((error = suser(curthread)) != 0) + /* + * XXXRW: Isn't this suser() redundant to the ifnet layer + * check? + */ + if ((error = priv_check(curthread, PRIV_NET_SETIFPHYS)) != 0) break; sc->g_src.s_addr = INADDR_ANY; sc->g_dst.s_addr = INADDR_ANY; Index: sys/net/if_ppp.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_ppp.c,v retrieving revision 1.116 diff -u -r1.116 if_ppp.c --- sys/net/if_ppp.c 22 Oct 2006 11:52:15 -0000 1.116 +++ sys/net/if_ppp.c 30 Oct 2006 17:07:55 -0000 @@ -87,6 +87,7 @@ #include #include +#include #include #include #include @@ -451,7 +452,8 @@ break; case PPPIOCSFLAGS: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; flags = *(int *)data & SC_MASK; s = splsoftnet(); @@ -465,8 +467,9 @@ break; case PPPIOCSMRU: - if ((error = suser(td)) != 0) - return (error); + error = priv_check(td, PRIV_NET_PPP); + if (error) + return (error); mru = *(int *)data; if (mru >= PPP_MRU && mru <= PPP_MAXMRU) sc->sc_mru = mru; @@ -478,7 +481,8 @@ #ifdef VJC case PPPIOCSMAXCID: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; if (sc->sc_comp) { s = splsoftnet(); @@ -489,14 +493,16 @@ #endif case PPPIOCXFERUNIT: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; sc->sc_xfer = p->p_pid; break; #ifdef PPP_COMPRESS case PPPIOCSCOMPRESS: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; odp = (struct ppp_option_data *) data; nb = odp->length; @@ -569,7 +575,8 @@ if (cmd == PPPIOCGNPMODE) { npi->mode = sc->sc_npmode[npx]; } else { - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; if (npi->mode != sc->sc_npmode[npx]) { s = splsoftnet(); @@ -695,6 +702,10 @@ break; case SIOCSIFMTU: + /* + * XXXRW: Isn't this suser() check redundant to the one at the ifnet + * layer? + */ if ((error = suser(td)) != 0) break; if (ifr->ifr_mtu > PPP_MAXMTU) Index: sys/net/if_sl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_sl.c,v retrieving revision 1.132 diff -u -r1.132 if_sl.c --- sys/net/if_sl.c 2 Jun 2006 19:59:32 -0000 1.132 +++ sys/net/if_sl.c 30 Oct 2006 17:07:55 -0000 @@ -68,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -366,7 +367,7 @@ register struct sl_softc *sc; int s, error; - error = suser(curthread); + error = priv_check(curthread, PRIV_NET_SLIP); if (error) return (error); Index: sys/net/if_tap.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_tap.c,v retrieving revision 1.63 diff -u -r1.63 if_tap.c --- sys/net/if_tap.c 27 Sep 2006 19:57:01 -0000 1.63 +++ sys/net/if_tap.c 30 Oct 2006 17:07:55 -0000 @@ -47,6 +47,7 @@ #include #include #include +#include #include #include #include @@ -373,10 +374,13 @@ { struct tap_softc *tp = NULL; struct ifnet *ifp = NULL; - int s; + int error, s; - if (tapuopen == 0 && suser(td) != 0) - return (EPERM); + if (tapuopen == 0) { + error = priv_check(td, PRIV_NET_TAP); + if (error) + return (error); + } if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT) return (ENXIO); Index: sys/net/if_tun.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/if_tun.c,v retrieving revision 1.159 diff -u -r1.159 if_tun.c --- sys/net/if_tun.c 22 Oct 2006 11:52:15 -0000 1.159 +++ sys/net/if_tun.c 30 Oct 2006 17:07:55 -0000 @@ -23,6 +23,7 @@ #include "opt_mac.h" #include +#include #include #include #include @@ -597,9 +598,11 @@ tunp = (struct tuninfo *)data; if (tunp->mtu < IF_MINMTU) return (EINVAL); - if (TUN2IFP(tp)->if_mtu != tunp->mtu - && (error = suser(td)) != 0) - return (error); + if (TUN2IFP(tp)->if_mtu != tunp->mtu) { + error = priv_check(td, PRIV_NET_SETIFMTU); + if (error) + return (error); + } TUN2IFP(tp)->if_mtu = tunp->mtu; TUN2IFP(tp)->if_type = tunp->type; TUN2IFP(tp)->if_baudrate = tunp->baudrate; Index: sys/net/ppp_tty.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/ppp_tty.c,v retrieving revision 1.69 diff -u -r1.69 ppp_tty.c --- sys/net/ppp_tty.c 16 Oct 2005 20:44:18 -0000 1.69 +++ sys/net/ppp_tty.c 30 Oct 2006 17:07:55 -0000 @@ -79,6 +79,7 @@ #include #include +#include #include #include #include @@ -179,7 +180,8 @@ register struct ppp_softc *sc; int error, s; - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) return (error); s = spltty(); @@ -423,7 +425,8 @@ error = 0; switch (cmd) { case PPPIOCSASYNCMAP: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; sc->sc_asyncmap[0] = *(u_int *)data; break; @@ -433,7 +436,8 @@ break; case PPPIOCSRASYNCMAP: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; sc->sc_rasyncmap = *(u_int *)data; break; @@ -443,7 +447,8 @@ break; case PPPIOCSXASYNCMAP: - if ((error = suser(td)) != 0) + error = priv_check(td, PRIV_NET_PPP); + if (error) break; s = spltty(); bcopy(data, sc->sc_asyncmap, sizeof(sc->sc_asyncmap)); Index: sys/net/raw_usrreq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/raw_usrreq.c,v retrieving revision 1.43 diff -u -r1.43 raw_usrreq.c --- sys/net/raw_usrreq.c 21 Jul 2006 17:11:12 -0000 1.43 +++ sys/net/raw_usrreq.c 30 Oct 2006 17:07:55 -0000 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -171,8 +172,11 @@ */ KASSERT(sotorawcb(so) != NULL, ("raw_uattach: so_pcb == NULL")); - if (td && (error = suser(td)) != 0) - return error; + if (td != NULL) { + error = priv_check(td, PRIV_NET_RAW); + if (error) + return error; + } return raw_attach(so, proto); } Index: sys/net/rtsock.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net/rtsock.c,v retrieving revision 1.137 diff -u -r1.137 rtsock.c --- sys/net/rtsock.c 21 Jul 2006 17:11:12 -0000 1.137 +++ sys/net/rtsock.c 30 Oct 2006 17:07:55 -0000 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -368,8 +369,11 @@ * Verify that the caller has the appropriate privilege; RTM_GET * is the only operation the non-superuser is allowed. */ - if (rtm->rtm_type != RTM_GET && (error = suser(curthread)) != 0) - senderr(error); + if (rtm->rtm_type != RTM_GET) { + error = priv_check(curthread, PRIV_NET_ROUTE); + if (error) + senderr(error); + } switch (rtm->rtm_type) { struct rtentry *saved_nrt; Index: sys/net80211/ieee80211_ioctl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/net80211/ieee80211_ioctl.c,v retrieving revision 1.50 diff -u -r1.50 ieee80211_ioctl.c --- sys/net80211/ieee80211_ioctl.c 26 Sep 2006 12:41:13 -0000 1.50 +++ sys/net80211/ieee80211_ioctl.c 30 Oct 2006 17:07:55 -0000 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -344,7 +345,7 @@ case WI_RID_DEFLT_CRYPT_KEYS: keys = (struct wi_ltv_keys *)&wreq; /* do not show keys to non-root user */ - error = suser(curthread); + error = priv_check(curthread, PRIV_NET80211_GETKEY); if (error) { memset(keys, 0, sizeof(*keys)); error = 0; @@ -861,7 +862,7 @@ ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV); if (wk->wk_keyix == ic->ic_def_txkey) ik.ik_flags |= IEEE80211_KEY_DEFAULT; - if (suser(curthread) == 0) { + if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { /* NB: only root can read key data */ ik.ik_keyrsc = wk->wk_keyrsc; ik.ik_keytsc = wk->wk_keytsc; @@ -1510,7 +1511,7 @@ return EINVAL; len = (u_int) ic->ic_nw_keys[kid].wk_keylen; /* NB: only root can read WEP keys */ - if (suser(curthread) == 0) { + if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { bcopy(ic->ic_nw_keys[kid].wk_key, tmpkey, len); } else { bzero(tmpkey, len); @@ -2692,7 +2693,7 @@ (struct ieee80211req *) data); break; case SIOCS80211: - error = suser(curthread); + error = priv_check(curthread, PRIV_NET80211_MANAGE); if (error == 0) error = ieee80211_ioctl_set80211(ic, cmd, (struct ieee80211req *) data); @@ -2701,7 +2702,7 @@ error = ieee80211_cfgget(ic, cmd, data); break; case SIOCSIFGENERIC: - error = suser(curthread); + error = priv_check(curthread, PRIV_NET80211_MANAGE); if (error) break; error = ieee80211_cfgset(ic, cmd, data); Index: sys/netatalk/at_control.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netatalk/at_control.c,v retrieving revision 1.44 diff -u -r1.44 at_control.c --- sys/netatalk/at_control.c 22 Feb 2005 14:20:29 -0000 1.44 +++ sys/netatalk/at_control.c 30 Oct 2006 17:07:55 -0000 @@ -118,6 +118,8 @@ case SIOCSIFADDR: /* * If we are not superuser, then we don't get to do these ops. + * + * XXXRW: Layering? */ if (suser(td)) return (EPERM); Index: sys/netatalk/ddp_pcb.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netatalk/ddp_pcb.c,v retrieving revision 1.49 diff -u -r1.49 ddp_pcb.c --- sys/netatalk/ddp_pcb.c 2 Aug 2006 16:22:34 -0000 1.49 +++ sys/netatalk/ddp_pcb.c 30 Oct 2006 17:07:55 -0000 @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -100,7 +101,7 @@ return (EINVAL); } if (sat->sat_port < ATPORT_RESERVED && - suser(td)) { + priv_check(td, PRIV_NETATALK_RESERVEDPORT)) { return (EACCES); } } Index: sys/netatm/atm_usrreq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netatm/atm_usrreq.c,v retrieving revision 1.27 diff -u -r1.27 atm_usrreq.c --- sys/netatm/atm_usrreq.c 21 Jul 2006 17:11:13 -0000 1.27 +++ sys/netatm/atm_usrreq.c 30 Oct 2006 17:07:55 -0000 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -181,8 +182,11 @@ struct atmcfgreq *acp = (struct atmcfgreq *)data; struct atm_pif *pip; - if (td && (suser(td) != 0)) - ATM_RETERR(EPERM); + if (td != 0) { + err = priv_check(td, PRIV_NETATM_CFG); + if (err) + ATM_RETERR(err); + } switch (acp->acr_opcode) { @@ -214,8 +218,11 @@ struct atmaddreq *aap = (struct atmaddreq *)data; Atm_endpoint *epp; - if (td && (suser(td) != 0)) - ATM_RETERR(EPERM); + if (td != NULL) { + err = priv_check(td, PRIV_NETATM_ADD); + if (err) + ATM_RETERR(err); + } switch (aap->aar_opcode) { @@ -264,8 +271,11 @@ struct sigmgr *smp; Atm_endpoint *epp; - if (td && (suser(td) != 0)) - ATM_RETERR(EPERM); + if (td != NULL) { + err = priv_check(td, PRIV_NETATM_DEL); + if (err) + ATM_RETERR(err); + } switch (adp->adr_opcode) { @@ -317,8 +327,11 @@ struct sigmgr *smp; struct ifnet *ifp2; - if (td && (suser(td) != 0)) - ATM_RETERR(EPERM); + if (td != NULL) { + err = priv_check(td, PRIV_NETATM_SET); + if (err) + ATM_RETERR(err); + } switch (asp->asr_opcode) { Index: sys/netgraph/ng_socket.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netgraph/ng_socket.c,v retrieving revision 1.80 diff -u -r1.80 ng_socket.c --- sys/netgraph/ng_socket.c 18 Oct 2006 07:47:07 -0000 1.80 +++ sys/netgraph/ng_socket.c 30 Oct 2006 17:07:55 -0000 @@ -57,6 +57,7 @@ #include #include #include +#include #include #include #include @@ -167,9 +168,11 @@ ngc_attach(struct socket *so, int proto, struct thread *td) { struct ngpcb *const pcbp = sotongpcb(so); + int error; - if (suser(td)) - return (EPERM); + error = priv_check(td, PRIV_NETGRAPH_CONTROL); + if (error) + return (error); if (pcbp != NULL) return (EISCONN); return (ng_attach_cntl(so)); Index: sys/netgraph/ng_tty.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netgraph/ng_tty.c,v retrieving revision 1.36 diff -u -r1.36 ng_tty.c --- sys/netgraph/ng_tty.c 16 Oct 2005 20:44:18 -0000 1.36 +++ sys/netgraph/ng_tty.c 30 Oct 2006 17:07:55 -0000 @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -189,7 +190,8 @@ int error; /* Super-user only */ - if ((error = suser(td))) + error = priv_check(td, PRIV_NETGRAPH_TTY); + if (error) return (error); /* Initialize private struct */ Index: sys/netgraph/bluetooth/drivers/h4/ng_h4.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netgraph/bluetooth/drivers/h4/ng_h4.c,v retrieving revision 1.14 diff -u -r1.14 ng_h4.c --- sys/netgraph/bluetooth/drivers/h4/ng_h4.c 16 Oct 2005 20:44:18 -0000 1.14 +++ sys/netgraph/bluetooth/drivers/h4/ng_h4.c 30 Oct 2006 17:07:55 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -156,7 +157,7 @@ int s, error; /* Super-user only */ - error = suser(curthread); /* XXX */ + error = priv_check(curthread, PRIV_NETGRAPH_TTY); /* XXX */ if (error != 0) return (error); Index: sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c,v retrieving revision 1.22 diff -u -r1.22 ng_btsocket_hci_raw.c --- sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c 21 Jul 2006 17:11:13 -0000 1.22 +++ sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c 30 Oct 2006 17:07:55 -0000 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -916,7 +917,7 @@ so->so_pcb = (caddr_t) pcb; pcb->so = so; - if (suser(td) == 0) + if (priv_check(td, PRIV_NETBLUETOOTH_RAW) == 0) pcb->flags |= NG_BTSOCKET_HCI_RAW_PRIVILEGED; /* Index: sys/netgraph/bluetooth/socket/ng_btsocket_l2cap_raw.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netgraph/bluetooth/socket/ng_btsocket_l2cap_raw.c,v retrieving revision 1.19 diff -u -r1.19 ng_btsocket_l2cap_raw.c --- sys/netgraph/bluetooth/socket/ng_btsocket_l2cap_raw.c 21 Jul 2006 17:11:13 -0000 1.19 +++ sys/netgraph/bluetooth/socket/ng_btsocket_l2cap_raw.c 30 Oct 2006 17:07:55 -0000 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include @@ -620,7 +621,7 @@ so->so_pcb = (caddr_t) pcb; pcb->so = so; - if (suser(td) == 0) + if (priv_check(td, PRIV_NETBLUETOOTH_RAW) == 0) pcb->flags |= NG_BTSOCKET_L2CAP_RAW_PRIVILEGED; mtx_init(&pcb->pcb_mtx, "btsocks_l2cap_raw_pcb_mtx", NULL, MTX_DEF); Index: sys/netinet/in.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/in.c,v retrieving revision 1.94 diff -u -r1.94 in.c --- sys/netinet/in.c 28 Sep 2006 10:04:07 -0000 1.94 +++ sys/netinet/in.c 30 Oct 2006 17:07:55 -0000 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include @@ -232,10 +233,25 @@ switch (cmd) { case SIOCALIFADDR: + if (td != NULL) { + error = priv_check(td, PRIV_NET_ADDIFADDR); + if (error) + return (error); + } + if (!ifp) + return EINVAL; + return in_lifaddr_ioctl(so, cmd, data, ifp, td); + case SIOCDLIFADDR: - if (td && (error = suser(td)) != 0) - return error; - /*fall through*/ + if (td != NULL) { + error = priv_check(td, PRIV_NET_DELIFADDR); + if (error) + return (error); + } + if (!ifp) + return EINVAL; + return in_lifaddr_ioctl(so, cmd, data, ifp, td); + case SIOCGLIFADDR: if (!ifp) return EINVAL; @@ -292,8 +308,11 @@ case SIOCSIFADDR: case SIOCSIFNETMASK: case SIOCSIFDSTADDR: - if (td && (error = suser(td)) != 0) - return error; + if (td != NULL) { + error = priv_check(td, PRIV_NET_ADDIFADDR); + if (error) + return (error); + } if (ifp == 0) return (EADDRNOTAVAIL); @@ -330,8 +349,11 @@ break; case SIOCSIFBRDADDR: - if (td && (error = suser(td)) != 0) - return error; + if (td != NULL) { + error = priv_check(td, PRIV_NET_ADDIFADDR); + if (error) + return (error); + } /* FALLTHROUGH */ case SIOCGIFADDR: Index: sys/netinet/in_pcb.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/in_pcb.c,v retrieving revision 1.182 diff -u -r1.182 in_pcb.c --- sys/netinet/in_pcb.c 22 Oct 2006 11:52:16 -0000 1.182 +++ sys/netinet/in_pcb.c 30 Oct 2006 17:07:55 -0000 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -331,7 +332,8 @@ /* GROSS */ if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && - suser_cred(cred, SUSER_ALLOWJAIL)) + priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL)) return (EACCES); if (jailed(cred)) prison = 1; @@ -400,7 +402,9 @@ last = ipport_hilastauto; lastport = &pcbinfo->lasthi; } else if (inp->inp_flags & INP_LOWPORT) { - if ((error = suser_cred(cred, SUSER_ALLOWJAIL)) != 0) + error = priv_check_cred(cred, + PRIV_NETINET_RESERVEDPORT, SUSER_ALLOWJAIL); + if (error) return error; first = ipport_lowfirstauto; /* 1023 */ last = ipport_lowlastauto; /* 600 */ Index: sys/netinet/ip_carp.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/ip_carp.c,v retrieving revision 1.44 diff -u -r1.44 ip_carp.c --- sys/netinet/ip_carp.c 7 Oct 2006 10:19:58 -0000 1.44 +++ sys/netinet/ip_carp.c 30 Oct 2006 17:07:55 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -1853,7 +1854,8 @@ break; case SIOCSVH: - if ((error = suser(curthread)) != 0) + error = priv_check(curthread, PRIV_NETINET_CARP); + if (error) break; if ((error = copyin(ifr->ifr_data, &carpr, sizeof carpr))) break; @@ -1928,7 +1930,8 @@ carpr.carpr_vhid = sc->sc_vhid; carpr.carpr_advbase = sc->sc_advbase; carpr.carpr_advskew = sc->sc_advskew; - if (suser(curthread) == 0) + error = priv_check(curthread, PRIV_NETINET_CARP); + if (error == 0) bcopy(sc->sc_key, carpr.carpr_key, sizeof(carpr.carpr_key)); error = copyout(&carpr, ifr->ifr_data, sizeof(carpr)); Index: sys/netinet/ip_divert.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/ip_divert.c,v retrieving revision 1.121 diff -u -r1.121 ip_divert.c --- sys/netinet/ip_divert.c 22 Oct 2006 11:52:16 -0000 1.121 +++ sys/netinet/ip_divert.c 30 Oct 2006 17:07:55 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -420,8 +421,11 @@ inp = sotoinpcb(so); KASSERT(inp == NULL, ("div_attach: inp != NULL")); - if (td && (error = suser(td)) != 0) - return error; + if (td != NULL) { + error = priv_check(td, PRIV_NETINET_DIVERT); + if (error) + return (error); + } error = soreserve(so, div_sendspace, div_recvspace); if (error) return error; Index: sys/netinet/ip_fw2.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/ip_fw2.c,v retrieving revision 1.152 diff -u -r1.152 ip_fw2.c --- sys/netinet/ip_fw2.c 22 Oct 2006 11:52:16 -0000 1.152 +++ sys/netinet/ip_fw2.c 30 Oct 2006 17:07:55 -0000 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include @@ -3980,7 +3981,7 @@ struct ip_fw *buf, *rule; u_int32_t rulenum[2]; - error = suser(sopt->sopt_td); + error = priv_check(sopt->sopt_td, PRIV_NETINET_IPFW); if (error) return (error); Index: sys/netinet/ip_mroute.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/ip_mroute.c,v retrieving revision 1.121 diff -u -r1.121 ip_mroute.c --- sys/netinet/ip_mroute.c 22 Oct 2006 11:52:16 -0000 1.121 +++ sys/netinet/ip_mroute.c 30 Oct 2006 17:07:56 -0000 @@ -68,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -576,7 +577,7 @@ * Typically, only root can create the raw socket in order to execute * this ioctl method, however the request might be coming from a prison */ - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error) return (error); switch (cmd) { Index: sys/netinet/ip_output.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/ip_output.c,v retrieving revision 1.267 diff -u -r1.267 ip_output.c --- sys/netinet/ip_output.c 22 Oct 2006 11:52:16 -0000 1.267 +++ sys/netinet/ip_output.c 30 Oct 2006 17:07:56 -0000 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -987,8 +988,20 @@ break; if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ break; - priv = (sopt->sopt_td != NULL && - suser(sopt->sopt_td) != 0) ? 0 : 1; + if (sopt->sopt_td != NULL) { + /* + * XXXRW: Would be more desirable to do this + * one layer down so that we only exercise + * privilege if it is needed. + */ + error = priv_check(sopt->sopt_td, + PRIV_NETINET_IPSEC); + if (error) + priv = 0; + else + priv = 1; + } else + priv = 1; req = mtod(m, caddr_t); len = m->m_len; optname = sopt->sopt_name; Index: sys/netinet/raw_ip.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/raw_ip.c,v retrieving revision 1.166 diff -u -r1.166 raw_ip.c --- sys/netinet/raw_ip.c 22 Oct 2006 11:52:16 -0000 1.166 +++ sys/netinet/raw_ip.c 30 Oct 2006 17:07:56 -0000 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -387,7 +388,11 @@ case IP_FW_GET: case IP_FW_TABLE_GETSIZE: case IP_FW_TABLE_LIST: - error = suser(curthread); + /* + * XXXRW: Isn't this checked one layer down? Yes, it + * is. + */ + error = priv_check(curthread, PRIV_NETINET_IPFW); if (error != 0) return (error); if (ip_fw_ctl_ptr != NULL) @@ -397,7 +402,7 @@ break; case IP_DUMMYNET_GET: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_DUMMYNET); if (error != 0) return (error); if (ip_dn_ctl_ptr != NULL) @@ -418,7 +423,7 @@ case MRT_API_CONFIG: case MRT_ADD_BW_UPCALL: case MRT_DEL_BW_UPCALL: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error != 0) return (error); error = ip_mrouter_get ? ip_mrouter_get(so, sopt) : @@ -452,7 +457,10 @@ case IP_FW_TABLE_ADD: case IP_FW_TABLE_DEL: case IP_FW_TABLE_FLUSH: - error = suser(curthread); + /* + * XXXRW: Isn't this checked one layer down? + */ + error = priv_check(curthread, PRIV_NETINET_IPFW); if (error != 0) return (error); if (ip_fw_ctl_ptr != NULL) @@ -464,7 +472,7 @@ case IP_DUMMYNET_CONFIGURE: case IP_DUMMYNET_DEL: case IP_DUMMYNET_FLUSH: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_DUMMYNET); if (error != 0) return (error); if (ip_dn_ctl_ptr != NULL) @@ -474,14 +482,14 @@ break ; case IP_RSVP_ON: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error != 0) return (error); error = ip_rsvp_init(so); break; case IP_RSVP_OFF: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error != 0) return (error); error = ip_rsvp_done(); @@ -489,7 +497,7 @@ case IP_RSVP_VIF_ON: case IP_RSVP_VIF_OFF: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error != 0) return (error); error = ip_rsvp_vif ? @@ -508,7 +516,7 @@ case MRT_API_CONFIG: case MRT_ADD_BW_UPCALL: case MRT_DEL_BW_UPCALL: - error = suser(curthread); + error = priv_check(curthread, PRIV_NETINET_MROUTE); if (error != 0) return (error); error = ip_mrouter_set ? ip_mrouter_set(so, sopt) : @@ -598,9 +606,14 @@ inp = sotoinpcb(so); KASSERT(inp == NULL, ("rip_attach: inp != NULL")); + /* + * XXXRW: Centralize privilege decision in kern_jail.c. + */ if (jailed(td->td_ucred) && !jail_allow_raw_sockets) return (EPERM); - if ((error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL)) != 0) + error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, + SUSER_ALLOWJAIL); + if (error) return error; if (proto >= IPPROTO_MAX || proto < 0) return EPROTONOSUPPORT; Index: sys/netinet/tcp_subr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/tcp_subr.c,v retrieving revision 1.265 diff -u -r1.265 tcp_subr.c --- sys/netinet/tcp_subr.c 22 Oct 2006 11:52:16 -0000 1.265 +++ sys/netinet/tcp_subr.c 30 Oct 2006 17:07:56 -0000 @@ -48,6 +48,7 @@ #ifdef INET6 #include #endif +#include #include #include #include @@ -1081,7 +1082,8 @@ struct inpcb *inp; int error; - error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, + SUSER_ALLOWJAIL); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -1125,7 +1127,8 @@ struct inpcb *inp; int error, mapped = 0; - error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, + SUSER_ALLOWJAIL); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); Index: sys/netinet/udp_usrreq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.195 diff -u -r1.195 udp_usrreq.c --- sys/netinet/udp_usrreq.c 22 Oct 2006 11:52:17 -0000 1.195 +++ sys/netinet/udp_usrreq.c 30 Oct 2006 17:07:56 -0000 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -687,7 +688,8 @@ struct inpcb *inp; int error; - error = suser_cred(req->td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, + SUSER_ALLOWJAIL); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); Index: sys/netinet6/in6.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet6/in6.c,v retrieving revision 1.64 diff -u -r1.64 in6.c --- sys/netinet6/in6.c 22 Sep 2006 01:42:22 -0000 1.64 +++ sys/netinet6/in6.c 30 Oct 2006 17:07:56 -0000 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include @@ -325,12 +326,8 @@ struct in6_ifreq *ifr = (struct in6_ifreq *)data; struct in6_ifaddr *ia = NULL; struct in6_aliasreq *ifra = (struct in6_aliasreq *)data; - int error, privileged; struct sockaddr_in6 *sa6; - - privileged = 0; - if (td == NULL || !suser(td)) - privileged++; + int error; switch (cmd) { case SIOCGETSGCNT_IN6: @@ -341,8 +338,11 @@ switch(cmd) { case SIOCAADDRCTL_POLICY: case SIOCDADDRCTL_POLICY: - if (!privileged) - return (EPERM); + if (td != NULL) { + error = priv_check(td, PRIV_NETINET_ADDRCTRL6); + if (error) + return (error); + } return (in6_src_ioctl(cmd, data)); } @@ -355,8 +355,11 @@ case SIOCSRTRFLUSH_IN6: case SIOCSDEFIFACE_IN6: case SIOCSIFINFO_FLAGS: - if (!privileged) - return (EPERM); + if (td != NULL) { + error = priv_check(td, PRIV_NETINET_ND6); + if (error) + return (error); + } /* FALLTHROUGH */ case OSIOCGIFINFO_IN6: case SIOCGIFINFO_IN6: @@ -383,8 +386,11 @@ switch (cmd) { case SIOCSSCOPE6: - if (!privileged) - return (EPERM); + if (td != NULL) { + error = priv_check(td, PRIV_NETINET_SCOPE6); + if (error) + return (error); + } return (scope6_set(ifp, (struct scope6_id *)ifr->ifr_ifru.ifru_scope_id)); case SIOCGSCOPE6: @@ -398,8 +404,15 @@ switch (cmd) { case SIOCALIFADDR: case SIOCDLIFADDR: - if (!privileged) - return (EPERM); + /* + * XXXRW: Is this checked at another layer? What priv to use + * here? + */ + if (td != NULL) { + error = suser(td); + if (error) + return (error); + } /* FALLTHROUGH */ case SIOCGLIFADDR: return in6_lifaddr_ioctl(so, cmd, data, ifp, td); @@ -488,8 +501,16 @@ if (ifra->ifra_addr.sin6_family != AF_INET6 || ifra->ifra_addr.sin6_len != sizeof(struct sockaddr_in6)) return (EAFNOSUPPORT); - if (!privileged) - return (EPERM); + + /* + * XXXRW: Is this checked at another layer? What priv to use + * here? + */ + if (td != NULL) { + error = suser(td); + if (error) + return (error); + } break; @@ -508,8 +529,11 @@ { struct in6_addrlifetime *lt; - if (!privileged) - return (EPERM); + if (td != NULL) { + error = priv_check(td, PRIV_NETINET_ALIFETIME6); + if (error) + return (error); + } if (ia == NULL) return (EADDRNOTAVAIL); /* sanity for overflow - beware unsigned */ Index: sys/netinet6/in6_pcb.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet6/in6_pcb.c,v retrieving revision 1.73 diff -u -r1.73 in6_pcb.c --- sys/netinet6/in6_pcb.c 18 Jul 2006 22:34:27 -0000 1.73 +++ sys/netinet6/in6_pcb.c 30 Oct 2006 17:07:56 -0000 @@ -77,6 +77,7 @@ #include #include #include +#include #include #include @@ -190,8 +191,12 @@ /* GROSS */ if (ntohs(lport) <= ipport_reservedhigh && ntohs(lport) >= ipport_reservedlow && - suser_cred(cred, SUSER_ALLOWJAIL)) + priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL)) return (EACCES); + /* + * XXXRW: What priv to use here? + */ if (!IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr) && suser_cred(so->so_cred, SUSER_ALLOWJAIL) != 0) { t = in6_pcblookup_local(pcbinfo, Index: sys/netinet6/in6_src.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet6/in6_src.c,v retrieving revision 1.39 diff -u -r1.39 in6_src.c --- sys/netinet6/in6_src.c 4 Aug 2006 21:27:38 -0000 1.39 +++ sys/netinet6/in6_src.c 30 Oct 2006 17:07:56 -0000 @@ -68,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -772,7 +773,9 @@ last = ipport_hilastauto; lastport = &pcbinfo->lasthi; } else if (inp->inp_flags & INP_LOWPORT) { - if ((error = suser_cred(cred, 0))) + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL); + if (error) return error; first = ipport_lowfirstauto; /* 1023 */ last = ipport_lowlastauto; /* 600 */ Index: sys/netinet6/ipsec.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet6/ipsec.c,v retrieving revision 1.46 diff -u -r1.46 ipsec.c --- sys/netinet6/ipsec.c 4 Aug 2006 21:27:39 -0000 1.46 +++ sys/netinet6/ipsec.c 30 Oct 2006 17:07:56 -0000 @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include @@ -1221,8 +1222,14 @@ } bzero(new, sizeof(*new)); - if (so->so_cred != NULL && - suser_cred(so->so_cred, SUSER_ALLOWJAIL) == 0) + /* + * XXXRW: Can we avoid caching the privilege decision here, and + * instead cache the credential? + * + * XXXRW: Why is suser_allowjail set here? + */ + if (so->so_cred != NULL && priv_check_cred(so->so_cred, + PRIV_NETINET_IPSEC, 0) == 0) new->priv = 1; else new->priv = 0; Index: sys/netinet6/udp6_usrreq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netinet6/udp6_usrreq.c,v retrieving revision 1.68 diff -u -r1.68 udp6_usrreq.c --- sys/netinet6/udp6_usrreq.c 7 Sep 2006 18:44:54 -0000 1.68 +++ sys/netinet6/udp6_usrreq.c 30 Oct 2006 17:07:56 -0000 @@ -70,6 +70,7 @@ #include #include #include +#include #include #include #include @@ -434,7 +435,8 @@ struct inpcb *inp; int error; - error = suser(req->td); + error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, + SUSER_ALLOWJAIL); if (error) return (error); Index: sys/netipsec/ipsec_osdep.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netipsec/ipsec_osdep.h,v retrieving revision 1.3 diff -u -r1.3 ipsec_osdep.h --- sys/netipsec/ipsec_osdep.h 27 Jun 2006 11:41:21 -0000 1.3 +++ sys/netipsec/ipsec_osdep.h 30 Oct 2006 17:07:56 -0000 @@ -215,11 +215,13 @@ * NetBSD (1.6N) tests (so)->so_uid == 0). * This difference is wrapped inside the IPSEC_PRIVILEGED_SO() macro. * + * XXXRW: Why was this suser_allowjail? */ #ifdef __FreeBSD__ #define IPSEC_IS_PRIVILEGED_SO(_so) \ ((_so)->so_cred != NULL && \ - suser_cred((_so)->so_cred, SUSER_ALLOWJAIL) == 0) + priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \ + == 0) #endif /* __FreeBSD__ */ #ifdef __NetBSD__ Index: sys/netipx/ipx_pcb.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netipx/ipx_pcb.c,v retrieving revision 1.45 diff -u -r1.45 ipx_pcb.c --- sys/netipx/ipx_pcb.c 25 Mar 2006 17:28:42 -0000 1.45 +++ sys/netipx/ipx_pcb.c 30 Oct 2006 17:07:56 -0000 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include @@ -107,11 +108,10 @@ lport = sipx->sipx_port; if (lport) { u_short aport = ntohs(lport); - int error; - if (aport < IPXPORT_RESERVED && - td != NULL && (error = suser(td)) != 0) - return (error); + if (aport < IPXPORT_RESERVED && td != NULL && + priv_check(td, PRIV_NETIPX_RESERVEDPORT)) + return (EACCES); if (ipx_pcblookup(&zeroipx_addr, lport, 0)) return (EADDRINUSE); } Index: sys/netipx/ipx_usrreq.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netipx/ipx_usrreq.c,v retrieving revision 1.57 diff -u -r1.57 ipx_usrreq.c --- sys/netipx/ipx_usrreq.c 21 Jul 2006 17:11:14 -0000 1.57 +++ sys/netipx/ipx_usrreq.c 30 Oct 2006 17:07:56 -0000 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -658,8 +659,13 @@ struct ipxpcb *ipxp = sotoipxpcb(so); KASSERT(ipxp == NULL, ("ripx_attach: ipxp != NULL")); - if (td != NULL && (error = suser(td)) != 0) - return (error); + + if (td != NULL) { + error = priv_check(td, PRIV_NETIPX_RAW); + if (error) + return (error); + } + /* * We hold the IPX list lock for the duration as address parameters * of the IPX pcb are changed. Since no one else holds a reference Index: sys/netncp/ncp_conn.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netncp/ncp_conn.c,v retrieving revision 1.28 diff -u -r1.28 ncp_conn.c --- sys/netncp/ncp_conn.c 14 Jan 2006 11:40:32 -0000 1.28 +++ sys/netncp/ncp_conn.c 30 Oct 2006 17:07:56 -0000 @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include Index: sys/netncp/ncp_mod.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netncp/ncp_mod.c,v retrieving revision 1.15 diff -u -r1.15 ncp_mod.c --- sys/netncp/ncp_mod.c 7 Jan 2005 01:45:48 -0000 1.15 +++ sys/netncp/ncp_mod.c 30 Oct 2006 17:07:56 -0000 @@ -37,6 +37,7 @@ #include #include #include +#include #include #include #include Index: sys/netncp/ncp_subr.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netncp/ncp_subr.h,v retrieving revision 1.9 diff -u -r1.9 ncp_subr.h --- sys/netncp/ncp_subr.h 7 Jan 2005 01:45:49 -0000 1.9 +++ sys/netncp/ncp_subr.h 30 Oct 2006 17:07:56 -0000 @@ -84,7 +84,7 @@ #define checkbad(fn) {error=(fn);if(error) goto bad;} -#define ncp_suser(cred) suser_cred(cred, 0) +#define ncp_suser(cred) priv_check_cred(cred, PRIV_NETNCP, 0) #define ncp_isowner(conn,cred) ((cred)->cr_uid == (conn)->nc_owner->cr_uid) Index: sys/netsmb/smb_conn.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netsmb/smb_conn.c,v retrieving revision 1.17 diff -u -r1.17 smb_conn.c --- sys/netsmb/smb_conn.c 17 Jul 2006 16:12:59 -0000 1.17 +++ sys/netsmb/smb_conn.c 30 Oct 2006 17:07:56 -0000 @@ -41,6 +41,7 @@ #include #include #include +#include #include #include #include Index: sys/netsmb/smb_subr.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/netsmb/smb_subr.h,v retrieving revision 1.12 diff -u -r1.12 smb_subr.h --- sys/netsmb/smb_subr.h 7 Jan 2005 01:45:49 -0000 1.12 +++ sys/netsmb/smb_subr.h 30 Oct 2006 17:07:56 -0000 @@ -68,7 +68,7 @@ SIGISMEMBER(set, SIGHUP) || SIGISMEMBER(set, SIGKILL) || \ SIGISMEMBER(set, SIGQUIT)) -#define smb_suser(cred) suser_cred(cred, 0) +#define smb_suser(cred) priv_check_cred(cred, PRIV_NETSMB, 0) /* * Compatibility wrappers for simple locks Index: sys/nfsserver/nfs_syscalls.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/nfsserver/nfs_syscalls.c,v retrieving revision 1.107 diff -u -r1.107 nfs_syscalls.c --- sys/nfsserver/nfs_syscalls.c 22 Oct 2006 11:52:17 -0000 1.107 +++ sys/nfsserver/nfs_syscalls.c 30 Oct 2006 17:07:56 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -142,7 +143,7 @@ if (error) return (error); #endif - error = suser(td); + error = priv_check(td, PRIV_NFSD); if (error) return (error); NET_LOCK_GIANT(); Index: sys/pc98/cbus/fdc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/pc98/cbus/fdc.c,v retrieving revision 1.167 diff -u -r1.167 fdc.c --- sys/pc98/cbus/fdc.c 8 Sep 2006 21:46:01 -0000 1.167 +++ sys/pc98/cbus/fdc.c 30 Oct 2006 17:07:56 -0000 @@ -68,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -2512,7 +2513,7 @@ #endif case FD_CLRERR: - if (suser(td) != 0) + if (priv_check(td, PRIV_DRIVER) != 0) return (EPERM); fd->fdc->fdc_errs = 0; return (0); @@ -2556,7 +2557,7 @@ case FD_STYPE: /* set drive type */ /* this is considered harmful; only allow for superuser */ - if (suser(td) != 0) + if (priv_check(td, PRIV_DRIVER) != 0) return (EPERM); *fd->ft = *(struct fd_type *)addr; break; @@ -2580,7 +2581,7 @@ #endif case FD_CLRERR: - if (suser(td) != 0) + if (priv_check(td, PRIV_DRIVER) != 0) return (EPERM); fd->fdc->fdc_errs = 0; break; Index: sys/posix4/p1003_1b.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/posix4/p1003_1b.c,v retrieving revision 1.30 diff -u -r1.30 p1003_1b.c --- sys/posix4/p1003_1b.c 13 Jul 2006 06:41:26 -0000 1.30 +++ sys/posix4/p1003_1b.c 30 Oct 2006 17:07:56 -0000 @@ -44,6 +44,7 @@ #include #include #include +#include #include #include #include @@ -186,9 +187,10 @@ struct thread *targettd; struct proc *targetp; - /* Don't allow non root user to set a scheduler policy */ - if (suser(td) != 0) - return (EPERM); + /* Don't allow non root user to set a scheduler policy. */ + e = priv_check(td, PRIV_SCHED_SET); + if (e) + return (e); e = copyin(uap->param, &sched_param, sizeof(sched_param)); if (e) Index: sys/security/audit/audit.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/audit/audit.c,v retrieving revision 1.21 diff -u -r1.21 audit.c --- sys/security/audit/audit.c 2 Oct 2006 11:32:23 -0000 1.21 +++ sys/security/audit/audit.c 30 Oct 2006 17:07:56 -0000 @@ -42,6 +42,7 @@ #include #include #include +#include #include #include #include @@ -509,7 +510,8 @@ * audit record is still required for this event by * re-calling au_preselect(). */ - if (audit_in_failure && suser(td) != 0) { + if (audit_in_failure && + priv_check(td, PRIV_AUDIT_FAILSTOP) != 0) { cv_wait(&audit_fail_cv, &audit_mtx); panic("audit_failing_stop: thread continued"); } Index: sys/security/audit/audit_pipe.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/audit/audit_pipe.c,v retrieving revision 1.9 diff -u -r1.9 audit_pipe.c --- sys/security/audit/audit_pipe.c 26 Aug 2006 17:59:31 -0000 1.9 +++ sys/security/audit/audit_pipe.c 30 Oct 2006 17:07:56 -0000 @@ -626,9 +626,9 @@ } /* - * Audit pipe open method. Explicit suser check isn't used as this allows - * file permissions on the special device to be used to grant audit review - * access. + * Audit pipe open method. Explicit privilege check isn't used as this + * allows file permissions on the special device to be used to grant audit + * review access. Those file permissions should be managed carefully. */ static int audit_pipe_open(struct cdev *dev, int oflags, int devtype, struct thread *td) Index: sys/security/audit/audit_syscalls.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/audit/audit_syscalls.c,v retrieving revision 1.8 diff -u -r1.8 audit_syscalls.c --- sys/security/audit/audit_syscalls.c 10 Oct 2006 15:49:10 -0000 1.8 +++ sys/security/audit/audit_syscalls.c 30 Oct 2006 17:07:56 -0000 @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -66,7 +67,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SUBMIT); if (error) return (error); @@ -156,7 +157,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); AUDIT_ARG(cmd, uap->cmd); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_CONTROL); if (error) return (error); @@ -404,7 +405,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -428,7 +429,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); @@ -468,7 +469,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); @@ -489,7 +490,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); @@ -518,7 +519,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_GETAUDIT); if (error) return (error); return (ENOSYS); @@ -533,7 +534,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_SETAUDIT); if (error) return (error); return (ENOSYS); @@ -557,7 +558,7 @@ if (jailed(td->td_ucred)) return (ENOSYS); - error = suser(td); + error = priv_check(td, PRIV_AUDIT_CONTROL); if (error) return (error); Index: sys/security/mac/mac_framework.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac/mac_framework.h,v retrieving revision 1.74 diff -u -r1.74 mac_framework.h --- sys/security/mac/mac_framework.h 25 Oct 2006 13:14:25 -0000 1.74 +++ sys/security/mac/mac_framework.h 30 Oct 2006 17:07:56 -0000 @@ -407,6 +407,8 @@ struct label *label); void mac_cred_mmapped_drop_perms(struct thread *td, struct ucred *cred); void mac_associate_nfsd_label(struct ucred *cred); +int mac_priv_check(struct ucred *cred, int priv); +int mac_priv_grant(struct ucred *cred, int priv); /* * Calls to help various file systems implement labeling functionality Index: sys/security/mac/mac_internal.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac/mac_internal.h,v retrieving revision 1.114 diff -u -r1.114 mac_internal.h --- sys/security/mac/mac_internal.h 20 Sep 2006 13:33:40 -0000 1.114 +++ sys/security/mac/mac_internal.h 30 Oct 2006 17:07:56 -0000 @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2004 Networks Associates Technology, Inc. + * Copyright (c) 2006 nCircle Network Security, Inc. * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -12,6 +13,9 @@ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), * as part of the DARPA CHATS research program. * + * This software was developed by Robert N. M. Watson for the TrustedBSD + * Project under contract to nCircle Network Security, Inc. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -152,6 +156,36 @@ } while (0) /* + * MAC_GRANT performs the designated check by walking the policy module + * list and checking with each as to how it feels about the request. Unlike + * MAC_CHECK, it grants if any policies return '0', and otherwise returns + * EPERM. Note that it returns its value via 'error' in the scope of the + * caller. + */ +#define MAC_GRANT(check, args...) do { \ + struct mac_policy_conf *mpc; \ + int entrycount; \ + \ + error = EPERM; \ + LIST_FOREACH(mpc, &mac_static_policy_list, mpc_list) { \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check(args) == 0) \ + error = 0; \ + } \ + } \ + if ((entrycount = mac_policy_list_conditional_busy()) != 0) { \ + LIST_FOREACH(mpc, &mac_policy_list, mpc_list) { \ + if (mpc->mpc_ops->mpo_ ## check != NULL) { \ + if (mpc->mpc_ops->mpo_ ## check (args) \ + == 0) \ + error = 0; \ + } \ + } \ + mac_policy_list_unbusy(); \ + } \ +} while (0) + +/* * MAC_BOOLEAN performs the designated boolean composition by walking * the module list, invoking each instance of the operation, and * combining the results using the passed C operator. Note that it Index: sys/security/mac/mac_net.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac/mac_net.c,v retrieving revision 1.119 diff -u -r1.119 mac_net.c --- sys/security/mac/mac_net.c 22 Oct 2006 11:52:18 -0000 1.119 +++ sys/security/mac/mac_net.c 30 Oct 2006 17:07:56 -0000 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -470,11 +471,11 @@ } /* - * XXX: Note that this is a redundant privilege check, since - * policies impose this check themselves if required by the - * policy. Eventually, this should go away. + * XXX: Note that this is a redundant privilege check, since policies + * impose this check themselves if required by the policy. + * Eventually, this should go away. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); if (error) { mac_ifnet_label_free(intlabel); return (error); Index: sys/security/mac/mac_priv.c =================================================================== RCS file: sys/security/mac/mac_priv.c diff -N sys/security/mac/mac_priv.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/security/mac/mac_priv.c 30 Oct 2006 18:53:30 -0000 @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2006 nCircle Network Security, Inc. + * All rights reserved. + * + * This software was developed by Robert N. M. Watson for the TrustedBSD + * Project under contract to nCircle Network Security, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, + * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * MAC checks for system privileges. + */ + +#include "opt_mac.h" + +#include +#include +#include +#include + +#include +#include + +int +mac_priv_check(struct ucred *cred, int priv) +{ + int error; + + MAC_CHECK(priv_check, cred, priv); + + return (error); +} + +int +mac_priv_grant(struct ucred *cred, int priv) +{ + int error; + + MAC_GRANT(priv_grant, cred, priv); + + return (error); +} Index: sys/security/mac/mac_system.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac/mac_system.c,v retrieving revision 1.106 diff -u -r1.106 mac_system.c --- sys/security/mac/mac_system.c 22 Oct 2006 11:52:18 -0000 1.106 +++ sys/security/mac/mac_system.c 30 Oct 2006 17:07:56 -0000 @@ -60,6 +60,12 @@ &mac_enforce_system, 0, "Enforce MAC policy on system operations"); TUNABLE_INT("security.mac.enforce_system", &mac_enforce_system); +/* + * XXXRW: Some of these checks now duplicate privilege checks. However, + * others provide additional security context that may be useful to policies. + * We need to review these and remove ones that are pure duplicates. + */ + int mac_check_kenv_dump(struct ucred *cred) { Index: sys/security/mac_bsdextended/mac_bsdextended.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac_bsdextended/mac_bsdextended.c,v retrieving revision 1.29 diff -u -r1.29 mac_bsdextended.c --- sys/security/mac_bsdextended/mac_bsdextended.c 23 Apr 2006 17:06:18 -0000 1.29 +++ sys/security/mac_bsdextended/mac_bsdextended.c 30 Oct 2006 17:07:56 -0000 @@ -456,6 +456,9 @@ { int error, i; + /* + * XXXRW: More specific privilege selection needed? + */ if (suser_cred(cred, 0) == 0) return (0); Index: sys/security/mac_lomac/mac_lomac.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac_lomac/mac_lomac.c,v retrieving revision 1.41 diff -u -r1.41 mac_lomac.c --- sys/security/mac_lomac/mac_lomac.c 22 Oct 2006 11:52:19 -0000 1.41 +++ sys/security/mac_lomac/mac_lomac.c 30 Oct 2006 17:07:56 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -1697,8 +1698,10 @@ * Rely on the traditional superuser status for the LOMAC * interface relabel requirements. XXXMAC: This will go * away. + * + * XXXRW: This is also redundant to a higher layer check. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_NET_SETIFMAC, 0); if (error) return (EPERM); Index: sys/security/mac_partition/mac_partition.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac_partition/mac_partition.c,v retrieving revision 1.11 diff -u -r1.11 mac_partition.c --- sys/security/mac_partition/mac_partition.c 19 Sep 2005 18:52:50 -0000 1.11 +++ sys/security/mac_partition/mac_partition.c 30 Oct 2006 17:07:56 -0000 @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include @@ -191,7 +192,7 @@ * in a partition in the first place, but this didn't * interact well with sendmail. */ - error = suser_cred(cred, 0); + error = priv_check_cred(cred, PRIV_MAC_PARTITION, 0); } return (error); Index: sys/security/mac_portacl/mac_portacl.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac_portacl/mac_portacl.c,v retrieving revision 1.9 diff -u -r1.9 mac_portacl.c --- sys/security/mac_portacl/mac_portacl.c 10 Oct 2006 17:04:19 -0000 1.9 +++ sys/security/mac_portacl/mac_portacl.c 30 Oct 2006 17:07:56 -0000 @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -427,7 +428,8 @@ mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = suser_cred(cred, SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL); return (error); } Index: sys/security/mac_seeotheruids/mac_seeotheruids.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v retrieving revision 1.8 diff -u -r1.8 mac_seeotheruids.c --- sys/security/mac_seeotheruids/mac_seeotheruids.c 30 Sep 2005 23:41:10 -0000 1.8 +++ sys/security/mac_seeotheruids/mac_seeotheruids.c 30 Oct 2006 17:07:56 -0000 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -126,7 +127,7 @@ return (0); if (suser_privileged) { - if (suser_cred(u1, 0) == 0) + if (priv_check_cred(u1, PRIV_SEEOTHERUIDS, 0) == 0) return (0); } Index: sys/sun4v/sun4v/hvcons.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/sun4v/sun4v/hvcons.c,v retrieving revision 1.2 diff -u -r1.2 hvcons.c --- sys/sun4v/sun4v/hvcons.c 13 Oct 2006 06:45:50 -0000 1.2 +++ sys/sun4v/sun4v/hvcons.c 30 Oct 2006 17:07:56 -0000 @@ -36,6 +36,7 @@ #include #include #include +#include #include #include @@ -118,7 +119,8 @@ ttyconsolemode(tp, 0); setuptimeout = 1; - } else if ((tp->t_state & TS_XCLUDE) && suser(td)) { + } else if ((tp->t_state & TS_XCLUDE) && priv_check(td, + PRIV_TTY_EXCLUSIVE)) { return (EBUSY); } Index: sys/sys/jail.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/sys/jail.h,v retrieving revision 1.26 diff -u -r1.26 jail.h --- sys/sys/jail.h 9 Jun 2005 18:49:19 -0000 1.26 +++ sys/sys/jail.h 30 Oct 2006 18:52:31 -0000 @@ -110,6 +110,7 @@ void prison_hold(struct prison *pr); int prison_if(struct ucred *cred, struct sockaddr *sa); int prison_ip(struct ucred *cred, int flag, u_int32_t *ip); +int prison_priv_check(struct ucred *cred, int priv); void prison_remote_ip(struct ucred *cred, int flags, u_int32_t *ip); #endif /* _KERNEL */ Index: sys/sys/mac_policy.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/sys/mac_policy.h,v retrieving revision 1.77 diff -u -r1.77 mac_policy.h --- sys/sys/mac_policy.h 30 Oct 2006 15:20:49 -0000 1.77 +++ sys/sys/mac_policy.h 30 Oct 2006 17:07:56 -0000 @@ -596,6 +596,8 @@ struct ucred *file_cred, struct vnode *vp, struct label *label); typedef void (*mpo_associate_nfsd_label_t)(struct ucred *cred); +typedef int (*mpo_priv_check_t)(struct ucred *cred, int priv); +typedef int (*mpo_priv_grant_t)(struct ucred *cred, int priv); struct mac_policy_ops { /* @@ -886,6 +888,8 @@ mpo_check_vnode_write_t mpo_check_vnode_write; mpo_associate_nfsd_label_t mpo_associate_nfsd_label; mpo_create_mbuf_from_firewall_t mpo_create_mbuf_from_firewall; + mpo_priv_check_t mpo_priv_check; + mpo_priv_grant_t mpo_priv_grant; }; /* Index: sys/sys/priv.h =================================================================== RCS file: sys/sys/priv.h diff -N sys/sys/priv.h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/sys/priv.h 31 Oct 2006 08:20:40 -0000 @@ -0,0 +1,457 @@ +/*- + * Copyright (c) 2006 nCircle Network Security, Inc. + * All rights reserved. + * + * This software was developed by Robert N. M. Watson for the TrustedBSD + * Project under contract to nCircle Network Security, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY, + * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * Privilege checking interface for BSD kernel. + */ +#ifndef _SYS_PRIV_H_ +#define _SYS_PRIV_H_ + +/* + * Privilege list. In no particular order. + * + * Think carefully before adding or reusing one of these privileges -- are + * there existing instances referring to the same privilege? Third party + * vendors may request the assignment of privileges to be used in loadable + * modules. Particular numeric privilege assignments are part of the + * loadable kernel module ABI, and should not be changed across minor + * releases. + * + * When adding a new privilege, remember to determine if it's appropriate for + * use in jail, and update the privilege switch in kern_jail.c as necessary. + */ + +/* + * Track beginning of privilege list. + */ +#define _PRIV_LOWEST 0 + +/* + * PRIV_ROOT is a catch-all for as yet unnamed privileges. No new + * references to this privilege should be added. + */ +#define PRIV_ROOT 1 /* Catch-all during development. */ + +/* + * The remaining privileges typically correspond to one or a small + * number of specific privilege checks, and have (relatively) precise + * meanings. They are loosely sorted into a set of base system + * privileges, such as the ability to reboot, and then loosely by + * subsystem, indicated by a subsystem name. + */ +#define PRIV_ACCT 2 /* Manage process accounting. */ +#define PRIV_MAXFILES 3 /* Exceed system open files limit. */ +#define PRIV_MAXPROC 4 /* Exceed system processes limit. */ +#define PRIV_KTRACE 5 /* Set/clear KTRFAC_ROOT on ktrace. */ +#define PRIV_SETDUMPER 6 /* Configure dump device. */ +#define PRIV_NFSD 7 /* Can become NFS daemon. */ +#define PRIV_REBOOT 8 /* Can reboot system. */ +#define PRIV_SWAPON 9 /* Can swapon(). */ +#define PRIV_SWAPOFF 10 /* Can swapoff(). */ +#define PRIV_MSGBUF 11 /* Can read kernel message buffer. */ +#define PRIV_WITNESS 12 /* Can configure WITNESS. */ +#define PRIV_IO 13 /* Can perform low-level I/O. */ +#define PRIV_KEYBOARD 14 /* Reprogram keyboard. */ +#define PRIV_DRIVER 15 /* Low-level driver privilege. */ +#define PRIV_ADJTIME 16 /* Set time adjustment. */ +#define PRIV_NTP_ADJTIME 17 /* Set NTP time adjustment. */ +#define PRIV_CLOCK_SETTIME 18 /* Can call clock_settime. */ +#define PRIV_SETTIMEOFDAY 19 /* Can call settimeofday. */ +#define PRIV_SETHOSTID 20 /* Can call sethostid. */ +#define PRIV_SETDOMAINNAME 21 /* Can call setdomainname. */ + +/* + * Audit subsystem privileges. + */ +#define PRIV_AUDIT_CONTROL 40 /* Can configure audit. */ +#define PRIV_AUDIT_FAILSTOP 41 /* Can run during audit fail stop. */ +#define PRIV_AUDIT_GETAUDIT 42 /* Can get proc audit properties. */ +#define PRIV_AUDIT_SETAUDIT 43 /* Can set proc audit properties. */ +#define PRIV_AUDIT_SUBMIT 44 /* Can submit an audit record. */ + +/* + * Credential management privileges. + */ +#define PRIV_CRED_SETUID 50 /* setuid. */ +#define PRIV_CRED_SETEUID 51 /* seteuid to !ruid and !svuid. */ +#define PRIV_CRED_SETGID 52 /* setgid. */ +#define PRIV_CRED_SETEGID 53 /* setgid to !rgid and !svgid. */ +#define PRIV_CRED_SETGROUPS 54 /* Set process additional groups. */ +#define PRIV_CRED_SETREUID 55 /* setreuid. */ +#define PRIV_CRED_SETREGID 56 /* setregid. */ +#define PRIV_CRED_SETRESUID 57 /* setresuid. */ +#define PRIV_CRED_SETRESGID 58 /* setresgid. */ +#define PRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */ +#define PRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */ + +/* + * Debugging privileges. + */ +#define PRIV_DEBUG_DIFFCRED 80 /* Exempt debugging other users. */ +#define PRIV_DEBUG_SUGID 81 /* Exempt debugging setuid proc. */ +#define PRIV_DEBUG_UNPRIV 82 /* Exempt unprivileged debug limit. */ + +/* + * Dtrace privileges. + */ +#define PRIV_DTRACE_KERNEL 90 /* Allow use of DTrace on the kernel. */ +#define PRIV_DTRACE_PROC 91 /* Allow attaching DTrace to process. */ +#define PRIV_DTRACE_USER 92 /* Process may submit DTrace events. */ + +/* + * Firmware privilegs. + */ +#define PRIV_FIRMWARE_LOAD 100 /* Can load firmware. */ + +/* + * Jail privileges. + */ +#define PRIV_JAIL_ATTACH 110 /* Attach to a jail. */ + +/* + * Kernel environment priveleges. + */ +#define PRIV_KENV_SET 120 /* Set kernel env. variables. */ +#define PRIV_KENV_UNSET 121 /* Unset kernel env. variables. */ + +/* + * Loadable kernel module privileges. + */ +#define PRIV_KLD_LOAD 130 /* Load a kernel module. */ +#define PRIV_KLD_UNLOAD 131 /* Unload a kernel module. */ + +/* + * Privileges associated with the MAC Framework and specific MAC policy + * modules. + */ +#define PRIV_MAC_PARTITION 140 /* Privilege in mac_partition policy. */ +#define PRIV_MAC_PRIVS 141 /* Privilege in the mac_privs policy. */ + +/* + * Process-related privileges. + */ +#define PRIV_PROC_LIMIT 160 /* Exceed user process limit. */ +#define PRIV_PROC_SETLOGIN 161 /* Can call setlogin. */ +#define PRIV_PROC_SETRLIMIT 162 /* Can raise resources limits. */ + +/* System V IPC privileges. + */ +#define PRIV_IPC_READ 170 /* Can override IPC read perm. */ +#define PRIV_IPC_WRITE 171 /* Can override IPC write perm. */ +#define PRIV_IPC_EXEC 172 /* Can override IPC exec perm. */ +#define PRIV_IPC_ADMIN 173 /* Can override IPC owner-only perm. */ +#define PRIV_IPC_MSGSIZE 174 /* Exempt IPC message queue limit. */ + +/* + * POSIX message queue privileges. + */ +#define PRIV_MQ_ADMIN 180 /* Can override msgq owner-only perm. */ + +/* + * Performance monitoring counter privileges. + */ +#define PRIV_PMC_MANAGE 190 /* Can administer PMC. */ +#define PRIV_PMC_SYSTEM 191 /* Can allocate a system-wide PMC. */ + +/* + * Scheduling privileges. + */ +#define PRIV_SCHED_DIFFCRED 200 /* Exempt scheduling other users. */ +#define PRIV_SCHED_SETPRIORITY 201 /* Can set lower nice value for proc. */ +#define PRIV_SCHED_RTPRIO 202 /* Can set real time scheduling. */ +#define PRIV_SCHED_SETPOLICY 203 /* Can set scheduler policy. */ +#define PRIV_SCHED_SET 204 /* Can set thread scheduler. */ +#define PRIV_SCHED_SETPARAM 205 /* Can set thread scheduler params. */ + +/* + * POSIX semaphore privileges. + */ +#define PRIV_SEM_WRITE 220 /* Can override sem write perm. */ + +/* + * Signal privileges. + */ +#define PRIV_SIGNAL_DIFFCRED 230 /* Exempt signalling other users. */ +#define PRIV_SIGNAL_SUGID 231 /* Non-conserv signal setuid proc. */ + +/* + * Sysctl privileges. + */ +#define PRIV_SYSCTL_DEBUG 240 /* Can invoke sysctl.debug. */ +#define PRIV_SYSCTL_WRITE 241 /* Can write sysctls. */ +#define PRIV_SYSCTL_WRITEJAIL 242 /* Can write sysctls, jail permitted. */ + +/* + * TTY privileges. + */ +#define PRIV_TTY_CONSOLE 250 /* Set console to tty. */ +#define PRIV_TTY_DRAINWAIT 251 /* Set tty drain wait time. */ +#define PRIV_TTY_DTRWAIT 252 /* Set DTR wait on tty. */ +#define PRIV_TTY_EXCLUSIVE 253 /* Override tty exclusive flag. */ +#define PRIV_TTY_PRISON 254 /* Can open pts across jails. */ +#define PRIV_TTY_STI 255 /* Simulate input on another tty. */ +#define PRIV_TTY_SETA 256 /* Set tty termios structure. */ + +/* + * UFS-specific privileges. + */ +#define PRIV_UFS_EXTATTRCTL 270 /* Can configure EAs on UFS1. */ +#define PRIV_UFS_GETQUOTA 271 /* getquota(). */ +#define PRIV_UFS_QUOTAOFF 272 /* quotaoff(). */ +#define PRIV_UFS_QUOTAON 273 /* quotaon(). */ +#define PRIV_UFS_SETQUOTA 274 /* setquota(). */ +#define PRIV_UFS_SETUSE 275 /* setuse(). */ +#define PRIV_UFS_EXCEEDQUOTA 276 /* Exempt from quota restrictions. */ + +/* + * VFS privileges. + */ +#define PRIV_VFS_READ 310 /* Override vnode DAC read perm. */ +#define PRIV_VFS_WRITE 311 /* Override vnode DAC write perm. */ +#define PRIV_VFS_ADMIN 312 /* Override vnode DAC admin perm. */ +#define PRIV_VFS_EXEC 313 /* Override vnode DAC exec perm. */ +#define PRIV_VFS_LOOKUP 314 /* Override vnode DAC lookup perm. */ +#define PRIV_VFS_BLOCKRESERVE 315 /* Can use free block reserve. */ +#define PRIV_VFS_CHFLAGS_DEV 316 /* Can chflags() a device node. */ +#define PRIV_VFS_CHOWN 317 /* Can set user; group to non-member. */ +#define PRIV_VFS_CHROOT 318 /* chroot(). */ +#define PRIV_VFS_CLEARSUGID 319 /* Don't clear sugid on change. */ +#define PRIV_VFS_EXTATTR_SYSTEM 320 /* Operate on system EA namespace. */ +#define PRIV_VFS_FCHROOT 321 /* fchroot(). */ +#define PRIV_VFS_FHOPEN 322 /* Can fhopen(). */ +#define PRIV_VFS_FHSTAT 323 /* Can fhstat(). */ +#define PRIV_VFS_FHSTATFS 324 /* Can fhstatfs(). */ +#define PRIV_VFS_GENERATION 325 /* stat() returns generation number. */ +#define PRIV_VFS_GETFH 326 /* Can retrieve file handles. */ +#define PRIV_VFS_LINK 327 /* bsd.hardlink_check_uid */ +#define PRIV_VFS_MKNOD_BAD 328 /* Can mknod() to mark bad inodes. */ +#define PRIV_VFS_MKNOD_DEV 329 /* Can mknod() to create dev nodes. */ +#define PRIV_VFS_MKNOD_WHT 330 /* Can mknod() to create whiteout. */ +#define PRIV_VFS_MOUNT 331 /* Can mount(). */ +#define PRIV_VFS_MOUNT_OWNER 332 /* Override owner on user mounts. */ +#define PRIV_VFS_MOUNT_EXPORTED 333 /* Can set MNT_EXPORTED on mount. */ +#define PRIV_VFS_MOUNT_PERM 334 /* Override dev node perms at mount. */ +#define PRIV_VFS_MOUNT_SUIDDIR 335 /* Can set MNT_SUIDDIR on mount. */ +#define PRIV_VFS_MOUNT_NONUSER 336 /* Can perform a non-user mount. */ +#define PRIV_VFS_SETGID 337 /* Can setgid if not in group. */ +#define PRIV_VFS_STICKYFILE 338 /* Can set sticky bit on file. */ +#define PRIV_VFS_SYSFLAGS 339 /* Can modify system flags. */ +#define PRIV_VFS_UNMOUNT 340 /* Can unmount(). */ + +/* + * Virtual memory privileges. + */ +#define PRIV_VM_MADV_PROTECT 360 /* Can set MADV_PROTECT. */ +#define PRIV_VM_MLOCK 361 /* Can mlock(), mlockall(). */ +#define PRIV_VM_MUNLOCK 362 /* Can munlock(), munlockall(). */ + +/* + * Device file system privileges. + */ +#define PRIV_DEVFS_RULE 370 /* Can manage devfs rules. */ +#define PRIV_DEVFS_SYMLINK 371 /* Can create symlinks in devfs. */ + +/* + * Random number generator privileges. + */ +#define PRIV_RANDOM_RESEED 380 /* Closing /dev/random reseeds. */ + +/* + * Network stack privileges. + */ +#define PRIV_NET_BRIDGE 390 /* Administer bridge. */ +#define PRIV_NET_GRE 391 /* Administer GRE. */ +#define PRIV_NET_PPP 392 /* Administer PPP. */ +#define PRIV_NET_SLIP 393 /* Administer SLIP. */ +#define PRIV_NET_BPF 394 /* Monitor BPF. */ +#define PRIV_NET_RAW 395 /* Open raw socket. */ +#define PRIV_NET_ROUTE 396 /* Administer routing. */ +#define PRIV_NET_TAP 397 /* Can open tap device. */ +#define PRIV_NET_SETIFMTU 398 /* Set interface MTU. */ +#define PRIV_NET_SETIFFLAGS 399 /* Set interface flags. */ +#define PRIV_NET_SETIFCAP 400 /* Set interface capabilities. */ +#define PRIV_NET_SETIFNAME 401 /* Set interface name. */ +#define PRIV_NET_SETIFMETRIC 402 /* Set interface metrics. */ +#define PRIV_NET_SETIFPHYS 403 /* Set interface physical layer prop. */ +#define PRIV_NET_SETIFMAC 404 /* Set interface MAC label. */ +#define PRIV_NET_ADDMULTI 405 /* Add multicast addr. to ifnet. */ +#define PRIV_NET_DELMULTI 406 /* Delete multicast addr. from ifnet. */ +#define PRIV_NET_HWIOCTL 507 /* Issue hardware ioctl on ifnet. */ +#define PRIV_NET_SETLLADDR 508 +#define PRIV_NET_ADDIFGROUP 509 /* Add new interface group. */ +#define PRIV_NET_DELIFGROUP 510 /* Delete interface group. */ +#define PRIV_NET_IFCREATE 511 /* Create cloned interface. */ +#define PRIV_NET_IFDESTROY 512 /* Destroy cloned interface. */ +#define PRIV_NET_ADDIFADDR 513 /* Add protocol addr to interface. */ +#define PRIV_NET_DELIFADDR 514 /* Delete protocol addr on interface. */ + +/* + * 802.11-related privileges. + */ +#define PRIV_NET80211_GETKEY 540 /* Query 802.11 keys. */ +#define PRIV_NET80211_MANAGE 541 /* Administer 802.11. */ + +/* + * AppleTalk privileges. + */ +#define PRIV_NETATALK_RESERVEDPORT 550 /* Bind low port number. */ + +/* + * ATM privileges. + */ +#define PRIV_NETATM_CFG 560 +#define PRIV_NETATM_ADD 561 +#define PRIV_NETATM_DEL 562 +#define PRIV_NETATM_SET 563 + +/* + * Bluetooth privileges. + */ +#define PRIV_NETBLUETOOTH_RAW 570 /* Open raw bluetooth socket. */ + +/* + * Netgraph and netgraph module privileges. + */ +#define PRIV_NETGRAPH_CONTROL 580 /* Open netgraph control socket. */ +#define PRIV_NETGRAPH_TTY 581 /* Configure tty for netgraph. */ + +/* + * IPv4 and IPv6 privileges. + */ +#define PRIV_NETINET_RESERVEDPORT 590 /* Bind low port number. */ +#define PRIV_NETINET_IPFW 591 /* Administer IPFW firewall. */ +#define PRIV_NETINET_DIVERT 592 /* Open IP divert socket. */ +#define PRIV_NETINET_PF 593 /* Administer pf firewall. */ +#define PRIV_NETINET_DUMMYNET 594 /* Administer DUMMYNET. */ +#define PRIV_NETINET_CARP 595 /* Administer CARP. */ +#define PRIV_NETINET_MROUTE 596 /* Administer multicast routing. */ +#define PRIV_NETINET_RAW 597 /* Open netinet raw socket. */ +#define PRIV_NETINET_GETCRED 598 /* Query netinet pcb credentials. */ +#define PRIV_NETINET_ADDRCTRL6 599 /* Administer IPv6 address scopes. */ +#define PRIV_NETINET_ND6 600 /* Administer IPv6 neighbor disc. */ +#define PRIV_NETINET_SCOPE6 601 /* Administer IPv6 address scopes. */ +#define PRIV_NETINET_ALIFETIME6 602 /* Administer IPv6 address lifetimes. */ +#define PRIV_NETINET_IPSEC 603 /* Administer IPSEC. */ + +/* + * IPX/SPX privileges. + */ +#define PRIV_NETIPX_RESERVEDPORT 620 /* Bind low port number. */ +#define PRIV_NETIPX_RAW 621 /* Open netipx raw socket. */ + +/* + * NCP privileges. + */ +#define PRIV_NETNCP 630 /* Use another user's connection. */ + +/* + * SMB privileges. + */ +#define PRIV_NETSMB 640 /* Use another user's connection. */ + +/* + * VM86 privileges. + */ +#define PRIV_VM86_INTCALL 650/* Allow invoking vm86 int handlers. */ + +/* + * Set of reserved privilege values, which will be allocated to code as + * needed, in order to avoid renumbering later privileges due to insertion. + */ +#define _PRIV_RESERVED0 660 +#define _PRIV_RESERVED1 661 +#define _PRIV_RESERVED2 662 +#define _PRIV_RESERVED3 663 +#define _PRIV_RESERVED4 664 +#define _PRIV_RESERVED5 665 +#define _PRIV_RESERVED6 666 +#define _PRIV_RESERVED7 667 +#define _PRIV_RESERVED8 668 +#define _PRIV_RESERVED9 669 +#define _PRIV_RESERVED10 670 +#define _PRIV_RESERVED11 671 +#define _PRIV_RESERVED12 672 +#define _PRIV_RESERVED13 673 +#define _PRIV_RESERVED14 674 +#define _PRIV_RESERVED15 675 + +/* + * Define a set of valid privilege numbers that can be used by loadable + * modules that don't yet have privilege reservations. Ideally, these should + * not be used, since their meaning is opaque to any policies that are aware + * of specific privileges, such as jail, and as such may be arbitrarily + * denied. + */ +#define PRIV_MODULE0 700 +#define PRIV_MODULE1 701 +#define PRIV_MODULE2 702 +#define PRIV_MODULE3 703 +#define PRIV_MODULE4 704 +#define PRIV_MODULE5 705 +#define PRIV_MODULE6 706 +#define PRIV_MODULE7 707 +#define PRIV_MODULE8 708 +#define PRIV_MODULE9 709 +#define PRIV_MODULE10 710 +#define PRIV_MODULE11 711 +#define PRIV_MODULE12 712 +#define PRIV_MODULE13 713 +#define PRIV_MODULE14 714 +#define PRIV_MODULE15 715 + +/* + * Track end of privilege list. + */ +#define _PRIV_HIGHEST 716 + +/* + * Validate that a named privilege is known by the privilege system. Invalid + * privileges presented to the privilege system by a priv_check interface + * will result in a panic. This is only approximate due to sparse allocation + * of the privilege space. + */ +#define PRIV_VALID(x) ((x) > _PRIV_LOWEST && (x) < _PRIV_HIGHEST) + +#ifdef _KERNEL +/* + * Privilege check interfaces, modeled after historic suser() interfacs, but + * with the addition of a specific privilege name. The existing SUSER_* flag + * name space is used here. The jail flag will likely be something that can + * be removed at some point as jail itself will be able to decide if the priv + * is appropriate, rather than the caller. + */ +struct thread; +struct ucred; +int priv_check(struct thread *td, int priv); +int priv_check_cred(struct ucred *cred, int priv, int flags); +#endif + +#endif /* !_SYS_PRIV_H_ */ Index: sys/sys/systm.h =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/sys/systm.h,v retrieving revision 1.245 diff -u -r1.245 systm.h --- sys/sys/systm.h 17 Oct 2006 02:24:47 -0000 1.245 +++ sys/sys/systm.h 30 Oct 2006 17:07:56 -0000 @@ -230,7 +230,7 @@ #define SUSER_RUID 2 int suser(struct thread *td); -int suser_cred(struct ucred *cred, int flag); +int suser_cred(struct ucred *cred, int flags); int cr_cansee(struct ucred *u1, struct ucred *u2); int cr_canseesocket(struct ucred *cred, struct socket *so); Index: sys/ufs/ffs/ffs_alloc.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ffs/ffs_alloc.c,v retrieving revision 1.140 diff -u -r1.140 ffs_alloc.c --- sys/ufs/ffs/ffs_alloc.c 18 Jul 2006 07:03:43 -0000 1.140 +++ sys/ufs/ffs/ffs_alloc.c 30 Oct 2006 17:07:56 -0000 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include @@ -171,7 +172,7 @@ #endif if (size == fs->fs_bsize && fs->fs_cstotal.cs_nbfree == 0) goto nospace; - if (suser_cred(cred, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && freespace(fs, fs->fs_minfree) - numfrags(fs, size) < 0) goto nospace; if (bpref >= fs->fs_size) @@ -259,7 +260,7 @@ #endif /* DIAGNOSTIC */ reclaimed = 0; retry: - if (suser_cred(cred, SUSER_ALLOWJAIL) && + if (priv_check_cred(cred, PRIV_VFS_BLOCKRESERVE, SUSER_ALLOWJAIL) && freespace(fs, fs->fs_minfree) - numfrags(fs, nsize - osize) < 0) { goto nospace; } Index: sys/ufs/ffs/ffs_vfsops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ffs/ffs_vfsops.c,v retrieving revision 1.321 diff -u -r1.321 ffs_vfsops.c --- sys/ufs/ffs/ffs_vfsops.c 22 Oct 2006 11:52:19 -0000 1.321 +++ sys/ufs/ffs/ffs_vfsops.c 30 Oct 2006 17:07:56 -0000 @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -257,15 +258,16 @@ * If upgrade to read-write by non-root, then verify * that user has necessary permissions on the device. */ - if (suser(td)) { - vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); - if ((error = VOP_ACCESS(devvp, VREAD | VWRITE, - td->td_ucred, td)) != 0) { - VOP_UNLOCK(devvp, 0, td); - return (error); - } + vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY, td); + error = VOP_ACCESS(devvp, VREAD | VWRITE, + td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { VOP_UNLOCK(devvp, 0, td); + return (error); } + VOP_UNLOCK(devvp, 0, td); fs->fs_flags &= ~FS_UNCLEAN; if (fs->fs_clean == 0) { fs->fs_flags |= FS_UNCLEAN; @@ -364,14 +366,15 @@ * If mount by non-root, then verify that user has necessary * permissions on the device. */ - if (suser(td)) { - accessmode = VREAD; - if ((mp->mnt_flag & MNT_RDONLY) == 0) - accessmode |= VWRITE; - if ((error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td))!= 0){ - vput(devvp); - return (error); - } + accessmode = VREAD; + if ((mp->mnt_flag & MNT_RDONLY) == 0) + accessmode |= VWRITE; + error = VOP_ACCESS(devvp, accessmode, td->td_ucred, td); + if (error) + error = priv_check(td, PRIV_VFS_MOUNT_PERM); + if (error) { + vput(devvp); + return (error); } if (mp->mnt_flag & MNT_UPDATE) { Index: sys/ufs/ffs/ffs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ffs/ffs_vnops.c,v retrieving revision 1.161 diff -u -r1.161 ffs_vnops.c --- sys/ufs/ffs/ffs_vnops.c 10 Oct 2006 09:20:54 -0000 1.161 +++ sys/ufs/ffs/ffs_vnops.c 30 Oct 2006 17:07:56 -0000 @@ -74,6 +74,7 @@ #include #include #include +#include #include #include #include @@ -781,7 +782,8 @@ * tampering. */ if (resid > uio->uio_resid && ap->a_cred && - suser_cred(ap->a_cred, SUSER_ALLOWJAIL)) { + priv_check_cred(ap->a_cred, PRIV_VFS_CLEARSUGID, + SUSER_ALLOWJAIL)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -1107,7 +1109,7 @@ * tampering. */ if (resid > uio->uio_resid && ucred && - suser_cred(ucred, SUSER_ALLOWJAIL)) { + priv_check_cred(ucred, PRIV_VFS_CLEARSUGID, SUSER_ALLOWJAIL)) { ip->i_mode &= ~(ISUID | ISGID); dp->di_mode = ip->i_mode; } Index: sys/ufs/ufs/ufs_extattr.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ufs/ufs_extattr.c,v retrieving revision 1.84 diff -u -r1.84 ufs_extattr.c --- sys/ufs/ufs/ufs_extattr.c 1 Feb 2006 00:25:26 -0000 1.84 +++ sys/ufs/ufs/ufs_extattr.c 30 Oct 2006 17:07:56 -0000 @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -699,7 +700,8 @@ * Processes with privilege, but in jail, are not allowed to * configure extended attributes. */ - if ((error = suser(td))) { + error = priv_check(td, PRIV_UFS_EXTATTRCTL); + if (error) { if (filename_vp != NULL) VOP_UNLOCK(filename_vp, 0, td); return (error); Index: sys/ufs/ufs/ufs_quota.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ufs/ufs_quota.c,v retrieving revision 1.84 diff -u -r1.84 ufs_quota.c --- sys/ufs/ufs/ufs_quota.c 26 Sep 2006 04:12:49 -0000 1.84 +++ sys/ufs/ufs/ufs_quota.c 30 Oct 2006 17:07:56 -0000 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include #include @@ -165,7 +166,8 @@ } return (0); } - if ((flags & FORCE) == 0 && suser_cred(cred, 0)) { + if ((flags & FORCE) == 0 && priv_check_cred(cred, + PRIV_UFS_EXCEEDQUOTA, 0)) { for (i = 0; i < MAXQUOTAS; i++) { if ((dq = ip->i_dquot[i]) == NODQUOT) continue; @@ -288,7 +290,8 @@ } return (0); } - if ((flags & FORCE) == 0 && suser_cred(cred, 0)) { + if ((flags & FORCE) == 0 && priv_check_cred(cred, + PRIV_UFS_EXCEEDQUOTA, 0)) { for (i = 0; i < MAXQUOTAS; i++) { if ((dq = ip->i_dquot[i]) == NODQUOT) continue; @@ -423,7 +426,11 @@ int error, flags; struct nameidata nd; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + /* + * XXXRW: Can this be right? Jail is allowed to do this? + */ + error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAON, + SUSER_ALLOWJAIL); if (error) return (error); @@ -517,7 +524,11 @@ struct inode *ip; int error; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + /* + * XXXRW: This also seems wrong to allow in a jail? + */ + error = priv_check_cred(td->td_ucred, PRIV_UFS_QUOTAOFF, + SUSER_ALLOWJAIL); if (error) return (error); @@ -589,15 +600,18 @@ switch (type) { case USRQUOTA: if ((td->td_ucred->cr_uid != id) && !unprivileged_get_quota) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, + PRIV_UFS_GETQUOTA, SUSER_ALLOWJAIL); if (error) return (error); } break; case GRPQUOTA: - if (!groupmember(id, td->td_ucred) && !unprivileged_get_quota) { - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + if (!groupmember(id, td->td_ucred) && + !unprivileged_get_quota) { + error = priv_check_cred(td->td_ucred, + PRIV_UFS_GETQUOTA, SUSER_ALLOWJAIL); if (error) return (error); } @@ -632,7 +646,8 @@ struct dqblk newlim; int error; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_UFS_SETQUOTA, + SUSER_ALLOWJAIL); if (error) return (error); @@ -698,7 +713,8 @@ struct dqblk usage; int error; - error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL); + error = priv_check_cred(td->td_ucred, PRIV_UFS_SETUSE, + SUSER_ALLOWJAIL); if (error) return (error); Index: sys/ufs/ufs/ufs_vnops.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.281 diff -u -r1.281 ufs_vnops.c --- sys/ufs/ufs/ufs_vnops.c 22 Oct 2006 11:52:19 -0000 1.281 +++ sys/ufs/ufs/ufs_vnops.c 30 Oct 2006 17:07:56 -0000 @@ -53,6 +53,7 @@ #include #include #include +#include #include #include #include @@ -490,8 +491,11 @@ * processes if the security.jail.chflags_allowed sysctl is * is non-zero; otherwise, they behave like unprivileged * processes. + * + * XXXRW: Move implementation of jail_chflags_allowed to + * kern_jail.c. */ - if (!suser_cred(cred, + if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, jail_chflags_allowed ? SUSER_ALLOWJAIL : 0)) { if (ip->i_flags & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) { @@ -582,10 +586,19 @@ * super-user. * If times is non-NULL, ... The caller must be the owner of * the file or be the super-user. + * + * Possibly for historical reasons, try to use VADMIN in + * preference to VADMIN for a NULL timestamp. This means we + * will return EACCES in preference to EPERM if neither + * check succeeds. */ - if ((error = VOP_ACCESS(vp, VADMIN, cred, td)) && - ((vap->va_vaflags & VA_UTIMES_NULL) == 0 || - (error = VOP_ACCESS(vp, VWRITE, cred, td)))) + if (vap->va_vaflags & VA_UTIMES_NULL) { + error = VOP_ACCESS(vp, VADMIN, cred, td); + if (error) + error = VOP_ACCESS(vp, VWRITE, cred, td); + } else + error = VOP_ACCESS(vp, VADMIN, cred, td); + if (error) return (error); if (vap->va_atime.tv_sec != VNOVAL) ip->i_flag |= IN_ACCESS; @@ -651,11 +664,13 @@ * jail(8). */ if (vp->v_type != VDIR && (mode & S_ISTXT)) { - if (suser_cred(cred, SUSER_ALLOWJAIL)) + if (priv_check_cred(cred, PRIV_VFS_STICKYFILE, + SUSER_ALLOWJAIL)) return (EFTYPE); } if (!groupmember(ip->i_gid, cred) && (mode & ISGID)) { - error = suser_cred(cred, SUSER_ALLOWJAIL); + error = priv_check_cred(cred, PRIV_VFS_SETGID, + SUSER_ALLOWJAIL); if (error) return (error); } @@ -692,19 +707,19 @@ if (gid == (gid_t)VNOVAL) gid = ip->i_gid; /* - * To modify the ownership of a file, must possess VADMIN - * for that file. + * To modify the ownership of a file, must possess VADMIN for that + * file. */ if ((error = VOP_ACCESS(vp, VADMIN, cred, td))) return (error); /* - * To change the owner of a file, or change the group of a file - * to a group of which we are not a member, the caller must - * have privilege. + * To change the owner of a file, or change the group of a file to a + * group of which we are not a member, the caller must have + * privilege. */ if ((uid != ip->i_uid || (gid != ip->i_gid && !groupmember(gid, cred))) && - (error = suser_cred(cred, SUSER_ALLOWJAIL))) + (error = priv_check_cred(cred, PRIV_VFS_CHOWN, SUSER_ALLOWJAIL))) return (error); ogid = ip->i_gid; ouid = ip->i_uid; @@ -775,7 +790,8 @@ panic("ufs_chown: lost quota"); #endif /* QUOTA */ ip->i_flag |= IN_CHANGE; - if (suser_cred(cred, SUSER_ALLOWJAIL) && (ouid != uid || ogid != gid)) { + if (priv_check_cred(cred, PRIV_VFS_CLEARSUGID, SUSER_ALLOWJAIL) && + (ouid != uid || ogid != gid)) { ip->i_mode &= ~(ISUID | ISGID); DIP_SET(ip, i_mode, ip->i_mode); } @@ -2348,7 +2364,8 @@ if (DOINGSOFTDEP(tvp)) softdep_change_linkcnt(ip); if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) && - suser_cred(cnp->cn_cred, SUSER_ALLOWJAIL)) { + priv_check_cred(cnp->cn_cred, PRIV_VFS_SETGID, + SUSER_ALLOWJAIL)) { ip->i_mode &= ~ISGID; DIP_SET(ip, i_mode, ip->i_mode); } Index: sys/vm/swap_pager.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/vm/swap_pager.c,v retrieving revision 1.284 diff -u -r1.284 swap_pager.c --- sys/vm/swap_pager.c 23 Oct 2006 05:27:31 -0000 1.284 +++ sys/vm/swap_pager.c 30 Oct 2006 17:07:56 -0000 @@ -77,6 +77,7 @@ #include #include #include +#include #include #include #include @@ -1966,11 +1967,11 @@ struct nameidata nd; int error; - mtx_lock(&Giant); - error = suser(td); + error = priv_check(td, PRIV_SWAPON); if (error) - goto done2; + return (error); + mtx_lock(&Giant); while (swdev_syscall_active) tsleep(&swdev_syscall_active, PUSER - 1, "swpon", 0); swdev_syscall_active = 1; @@ -2009,7 +2010,6 @@ done: swdev_syscall_active = 0; wakeup_one(&swdev_syscall_active); -done2: mtx_unlock(&Giant); return (error); } @@ -2105,7 +2105,7 @@ struct swdevt *sp; int error; - error = suser(td); + error = priv_check(td, PRIV_SWAPOFF); if (error) return (error); Index: sys/vm/vm_mmap.c =================================================================== RCS file: /zoo/cvsup/FreeBSD-CVS/src/sys/vm/vm_mmap.c,v retrieving revision 1.207 diff -u -r1.207 vm_mmap.c --- sys/vm/vm_mmap.c 22 Oct 2006 11:52:19 -0000 1.207 +++ sys/vm/vm_mmap.c 30 Oct 2006 17:07:56 -0000 @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -684,7 +685,7 @@ * "immortal." */ if (uap->behav == MADV_PROTECT) { - error = suser(td); + error = priv_check(td, PRIV_VM_MADV_PROTECT); if (error == 0) { p = td->td_proc; PROC_LOCK(p); @@ -951,7 +952,7 @@ vm_size_t npages, size; int error; - error = suser(td); + error = priv_check(td, PRIV_VM_MLOCK); if (error) return (error); addr = (vm_offset_t)uap->addr; @@ -1016,7 +1017,7 @@ } PROC_UNLOCK(td->td_proc); #else - error = suser(td); + error = priv_check(td, PRIV_VM_MLOCK); if (error) return (error); #endif @@ -1061,7 +1062,7 @@ int error; map = &td->td_proc->p_vmspace->vm_map; - error = suser(td); + error = priv_check(td, PRIV_VM_MUNLOCK); if (error) return (error); @@ -1095,7 +1096,7 @@ vm_size_t size; int error; - error = suser(td); + error = priv_check(td, PRIV_VM_MUNLOCK); if (error) return (error); addr = (vm_offset_t)uap->addr; From owner-trustedbsd-discuss@FreeBSD.ORG Sun Nov 5 04:46:07 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A1C016A47C for ; Sun, 5 Nov 2006 04:46:07 +0000 (UTC) (envelope-from argonne662@so-net.ne.jp) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 46B8843D91 for ; Sun, 5 Nov 2006 04:46:01 +0000 (GMT) (envelope-from argonne662@so-net.ne.jp) Received: from hn.kd.smx.adsl (unknown [221.13.201.11]) by cyrus.watson.org (Postfix) with SMTP id 605F346D16 for ; Sat, 4 Nov 2006 23:45:57 -0500 (EST) Received: from 193.72.62.161 by 221.13.201.11; Sat, 04 Nov 2006 22:27:04 -0700 Message-ID: From: "y P" To: trustedbsd-discuss@trustedbsd.org Date: Sat, 04 Nov 2006 22:19:04 -0700 X-Mailer: AOL 8.0 for Windows US sub 094 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-IP: 73.52.7.2 Content-Type: text/plain; Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: y P List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Nov 2006 04:46:07 -0000 gaCBrIGhgayBoIGsgaGBrIGggayBoYGsgaCBrIGhgayBoIGsgaGBrIGggayBoYGsgaCBrIGh gayBoIGsgaGBrIGgDQoNCoFAgZqPSILMjWeXdILwkWaTR4LIlN6Pl4LGiOqPj4LJjKmCyY1z grGCpIH0gZkNCg0KgUCBQIFAgUCBQIFAgUCBQIFAgUCBQIFAgUCBQIFAgUCBQIFAgUCBeYqu gZqRU4GZiWmBmot2gZmWs4Gal7+Beg0KgaCBrIGhgayBoIGsgaGBrIGggayBoYGsgaCBrIGh gayBoIGsgaGBrIGggayBoYGsgaCBrIGhgayBoIGsgaGBrIGgDQqBQIFAgUCBQIFAgUANCoFA gUCBQIFAgZqcY4GagUBodHRwOi8vY2FydGhhZ2luaWFuLnBhaW9wYWkuY29tL2EyMi+BQIGa nGOBmg0KDQo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9 PSo9PSo9Kj09Kj09Kj09Kj09Kj0NCg0KgZqPl45xkeWQtoGZgm6Ca4Gag3SDioFbg16BW4GZ lduV6oGag2mBW4NYgZmDgoNmg4uCzIK9gtyCsoGakGyNyIGZDQoNCoFAgUCBQIFAgUCBQIFA gUCB9JdsgViCyJFmkGyPl5Crgr2Cv4Kqk2+YXpKGgfQNCg0KgUCBQIFAgUCBmpxjgZqBQGh0 dHA6Ly9vcmxhbmRvLnBhaW9wYWkuY29tL2EyMi+BQIGanGOBmg0KgUCBQIFADQo9PSo9PSo9 PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9PSo9Kj09Kj09Kj09 Kj09Kj0NCg0KgZqEn4SfhJ+En4SfhJ+En4SfhJ9bj5eQq5NvmF6O0ojqlZSCso/Qie5dhJ+E n4SfhJ+En4SfhJ+En4SfhJ+BmiCBQIFAgUCBQIFADQoNCoFAgUCDdoOJg0ODb4NWgVuV24zs gsyCvYLfgUGCqJa8kU+BQZROl+6TmYLNlVyOpo9vl4iC3IK5gvGBQg0KgUCBQH5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn4NCoFAgUCB QIFAknCCuIKpgrWCooLFgreCqoFBjaGBQZJqgsyQbILJi1GCpoLEgtyCt4FCDQqBQIFAgUCB QInvgqaC6ZBsivOWXYFCjoSCzTIzjc6QZ5K3MTYwY22RzI9kNDdrZ4Nvg1iDZ4LNDQogICAg ICAgIEODSoNig3aCxYK3gUKQq4ppgs2WvoLpgq2CxJdEgrWCooLGjL6C7YLqgtyCt4FCDQqB QIFAgUCBQIp5grWCoo6eitSCqojqj4+CyYnfgrKCuYLpiVKCwoKpgsiCrYLEl0SCtYKilfuC qg0KgUCBQIFAgUCK85ZdgsWCt4FCDQoNCoFAgUCBQIFAgUCBmpxjgZqBQGh0dHA6Ly92YW5j b3V2ZXIucGFpb3BhaS5jb20vYTIyL4FAgZqcY4GaDQoNCj09Kj09Kj09Kj09Kj09Kj09Kj09 Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09DQoNCoFAgUCB QIFAiOqPj4LJibeQ8oLGgqmNc4KvgumQbILwklSCtYLEgqKC3IK3gUKT8ZBsgsUNCoFAgUCB QIFAjayXgZWXmEOCyZP8gsGCvYLogUGI6o+PgsmCqI7wgvCI+YLxgr6C6IFBgqiVlImugsUN CoFAgUCBQIFAgtyCwYK9guiCtYK9guiCtYK9gqKCxYK3gUKDR4Nig2CCyYLgjqmQTYLNgqCC 6ILcgreBQg0KgUCBQIFAgUCTr4K2i0OOnYK/gsyV+4LNg4GBW4OLibqCs4KigsuBSYFJDQoN CoFAgUCBQIFAgUCBmpxjgZqBQGh0dHA6Ly9jb25zZW5zdXMucGFpb3BhaS5jb20vYTIyL4FA gZqcY4GaDQoNCj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09Kj09 Kj09Kj09Kj09Kj09Kj09Kj09Kj09DQo=A From owner-trustedbsd-discuss@FreeBSD.ORG Sun Nov 5 04:54:07 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EF5016A40F for ; Sun, 5 Nov 2006 04:54:07 +0000 (UTC) (envelope-from stephen@quasarman.biz) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 325DD43D55 for ; Sun, 5 Nov 2006 04:54:06 +0000 (GMT) (envelope-from stephen@quasarman.biz) Received: from friend (071.187-78-65.ftth.swbr.surewest.net [65.78.187.71]) by cyrus.watson.org (Postfix) with ESMTP id 1F16F46D18 for ; Sat, 4 Nov 2006 23:54:01 -0500 (EST) Message-ID: <000001c70096$66044a00$0100007f@KJDA> From: "Richard" To: Date: Sat, 04 Nov 2006 20:53:56 +0100 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="------------ms050901000309010600040501" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: All love enhancers on one portal! X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Nov 2006 04:54:07 -0000 This is a multi-part message in MIME format. --------------ms050901000309010600040501 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable --------------ms050901000309010600040501-- From owner-trustedbsd-discuss@FreeBSD.ORG Mon Nov 6 18:09:33 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB75116A407 for ; Mon, 6 Nov 2006 18:09:33 +0000 (UTC) (envelope-from Christopher.Vance@sparta.com) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C0B543D62 for ; Mon, 6 Nov 2006 18:09:22 +0000 (GMT) (envelope-from Christopher.Vance@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by cyrus.watson.org (Postfix) with ESMTP id C127246DCC for ; Mon, 6 Nov 2006 13:09:19 -0500 (EST) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id kA6I9EF3021247 for ; Mon, 6 Nov 2006 12:09:15 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id kA6I98kH026914 for ; Mon, 6 Nov 2006 12:09:14 -0600 Received: from [157.185.81.53] ([157.185.81.53]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 13:09:11 -0500 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <2A39F97C-CCE9-49B3-A7CC-615BA956FF8E@sparta.com> Content-Transfer-Encoding: 7bit From: Chris Vance Date: Mon, 6 Nov 2006 13:09:11 -0500 To: trustedbsd-discuss@TrustedBSD.org X-Mailer: Apple Mail (2.752.2) X-OriginalArrivalTime: 06 Nov 2006 18:09:11.0911 (UTC) FILETIME=[A9543F70:01C701CE] Cc: Chris Vance Subject: ANN: SEDarwin Release X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Nov 2006 18:09:34 -0000 The first widespread release of SEDarwin is now available for download at http://sedarwin.org/ SEDarwin is a port of the TrustedBSD Mandatory Access Control Framework to Apple's Darwin operating system platform, along with a Type Enforcement policy based on SELinux. SEDarwin is still experimental, but currently allows the enforcement of mandatory process and file protections under Darwin 8.7 (Mac OS X 10.4.7) on Apple PowerPC hardware. The October 31 snapshot includes the most recent SELinux kernel and user space components available. We are still working to adapt the Treysys reference policy for Apple's System, but the kernel and user space components are largely complete. Chris Vance SPARTA, Inc. From owner-trustedbsd-discuss@FreeBSD.ORG Tue Nov 7 17:27:57 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FE3816A47C for ; Tue, 7 Nov 2006 17:27:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD2CD43E72 for ; Tue, 7 Nov 2006 17:26:37 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id B311F46D22 for ; Tue, 7 Nov 2006 12:26:32 -0500 (EST) Date: Tue, 7 Nov 2006 17:26:32 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20061107172608.O39454@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Heads up: priv(9) committed (fwd) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2006 17:27:57 -0000 FYI. Robert N M Watson Computer Laboratory University of Cambridge ---------- Forwarded message ---------- Date: Mon, 6 Nov 2006 14:13:46 +0000 (GMT) From: Robert Watson To: current@FreeBSD.org Subject: Heads up: priv(9) committed Dear all, I've just committed support for the priv(9) kernel API to the CVS HEAD. Per the commit message below, this is a revised interface for checking privilege within the kernel. In principle, there should be little actual functional change with this commit (although in one case, an IPSEC-related check moves from being permitted in Jail to not being permitted in Jail), but this will facilitate future work. I've now started the post-commit builds. Please let me know (ideally with a CC to current@) if you start running into odd permissions problems -- either things that are no longer permitted that should be, or things that are now permitted that should not be! Thanks, Robert N M Watson Computer Laboratory University of Cambridge ---------- Forwarded message ---------- Date: Mon, 6 Nov 2006 13:37:19 +0000 (UTC) From: Robert Watson To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/kern kern_jail.c kern_priv.c kern_prot.c src/sys/security/mac mac_framework.h mac_internal.h mac_priv.c src/sys/sys jail.h priv.h systm.h src/sys/conf files src/share/man/man9 Makefile priv.9 suser.9 rwatson 2006-11-06 13:37:19 UTC FreeBSD src repository Modified files: sys/kern kern_jail.c kern_prot.c sys/security/mac mac_framework.h mac_internal.h sys/sys jail.h systm.h sys/conf files share/man/man9 Makefile suser.9 Added files: sys/kern kern_priv.c sys/security/mac mac_priv.c sys/sys priv.h share/man/man9 priv.9 Log: Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface: suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so. The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c. The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege. The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier. This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov , Skip Ford , Antoine Brodin Revision Changes Path 1.283 +1 -0 src/share/man/man9/Makefile 1.1 +115 -0 src/share/man/man9/priv.9 (new) 1.30 +8 -1 src/share/man/man9/suser.9 1.1160 +2 -0 src/sys/conf/files 1.54 +168 -1 src/sys/kern/kern_jail.c 1.1 +154 -0 src/sys/kern/kern_priv.c (new) 1.206 +58 -89 src/sys/kern/kern_prot.c 1.75 +2 -0 src/sys/security/mac/mac_framework.h 1.115 +34 -0 src/sys/security/mac/mac_internal.h 1.1 +64 -0 src/sys/security/mac/mac_priv.c (new) 1.27 +1 -0 src/sys/sys/jail.h 1.1 +457 -0 src/sys/sys/priv.h (new) 1.246 +1 -1 src/sys/sys/systm.h ---------- Forwarded message ---------- Date: Mon, 6 Nov 2006 13:42:10 +0000 (UTC) From: Robert Watson To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/amd64/amd64 io.c src/sys/compat/linux linux_misc.c linux_uid16.c src/sys/compat/svr4 svr4_fcntl.c svr4_misc.c src/sys/contrib/altq/altq altq_cbq.c altq_cdnr.c altq_hfsc.c altq_priq.c altq_red.c altq_rio.c ... rwatson 2006-11-06 13:42:10 UTC FreeBSD src repository Modified files: sys/amd64/amd64 io.c sys/compat/linux linux_misc.c linux_uid16.c sys/compat/svr4 svr4_fcntl.c svr4_misc.c sys/contrib/altq/altq altq_cbq.c altq_cdnr.c altq_hfsc.c altq_priq.c altq_red.c altq_rio.c sys/contrib/pf/net if_pfsync.c sys/dev/an if_an.c sys/dev/arl if_arl.c sys/dev/asr asr.c sys/dev/ata atapi-cd.c sys/dev/ce if_ce.c sys/dev/cnw if_cnw.c sys/dev/cp if_cp.c sys/dev/ctau if_ct.c sys/dev/cx if_cx.c sys/dev/dcons dcons_os.c sys/dev/drm drmP.h sys/dev/fdc fdc.c sys/dev/hwpmc hwpmc_mod.c sys/dev/if_ndis if_ndis.c sys/dev/kbd kbd.c sys/dev/lmc if_lmc.c if_lmc.h sys/dev/nmdm nmdm.c sys/dev/null null.c sys/dev/ofw ofw_console.c sys/dev/random randomdev.c sys/dev/sbni if_sbni.c sys/dev/sbsh if_sbsh.c sys/dev/si si.c sys/dev/syscons syscons.c sysmouse.c sys/dev/wi if_wi.c sys/dev/wl if_wl.c sys/dev/zs zs.c sys/fs/devfs devfs_rule.c devfs_vnops.c sys/fs/hpfs hpfs_vnops.c sys/fs/msdosfs msdosfs_vfsops.c msdosfs_vnops.c sys/fs/procfs procfs_ioctl.c sys/fs/smbfs smbfs_vnops.c sys/fs/udf udf_vfsops.c sys/fs/umapfs umap_vfsops.c sys/gnu/fs/ext2fs ext2_vfsops.c ext2_vnops.c sys/gnu/fs/reiserfs reiserfs_fs.h reiserfs_vfsops.c sys/gnu/fs/xfs/FreeBSD xfs_super.c sys/i386/i386 io.c sys_machdep.c vm86.c sys/i386/ibcs2 ibcs2_misc.c ibcs2_socksys.c ibcs2_sysi86.c sys/i386/linux linux_machdep.c sys/i4b/driver i4b_ipr.c sys/ia64/ia64 ssc.c sys/isofs/cd9660 cd9660_vfsops.c sys/kern kern_acct.c kern_descrip.c kern_environment.c kern_exec.c kern_fork.c kern_ktrace.c kern_linker.c kern_ntptime.c kern_resource.c kern_shutdown.c kern_sysctl.c kern_thr.c kern_time.c kern_umtx.c kern_xxx.c subr_acl_posix1e.c subr_firmware.c subr_prf.c subr_witness.c sysv_ipc.c sysv_msg.c tty.c tty_cons.c tty_pts.c tty_pty.c uipc_mqueue.c uipc_sem.c vfs_mount.c vfs_subr.c vfs_syscalls.c vfs_vnops.c sys/net bpf.c if.c if_bridge.c if_gre.c if_ppp.c if_sl.c if_tap.c if_tun.c ppp_tty.c raw_usrreq.c rtsock.c sys/net80211 ieee80211_ioctl.c sys/netatalk at_control.c ddp_pcb.c sys/netatm atm_usrreq.c sys/netgraph ng_socket.c ng_tty.c sys/netgraph/bluetooth/drivers/h4 ng_h4.c sys/netgraph/bluetooth/socket ng_btsocket_hci_raw.c ng_btsocket_l2cap_raw.c sys/netinet in.c in_pcb.c ip_carp.c ip_divert.c ip_fw2.c ip_mroute.c ip_output.c raw_ip.c tcp_subr.c udp_usrreq.c sys/netinet6 in6.c in6_pcb.c in6_src.c ipsec.c udp6_usrreq.c sys/netipsec ipsec_osdep.h sys/netipx ipx_pcb.c ipx_usrreq.c sys/netncp ncp_conn.c ncp_mod.c ncp_subr.h sys/netsmb smb_conn.c smb_subr.h sys/nfsserver nfs_syscalls.c sys/pc98/cbus fdc.c sys/posix4 p1003_1b.c sys/security/audit audit.c audit_pipe.c audit_syscalls.c sys/security/mac mac_net.c mac_system.c sys/security/mac_bsdextended mac_bsdextended.c sys/security/mac_lomac mac_lomac.c sys/security/mac_partition mac_partition.c sys/security/mac_portacl mac_portacl.c sys/security/mac_seeotheruids mac_seeotheruids.c sys/sun4v/sun4v hvcons.c sys/sys mac_policy.h sys/ufs/ffs ffs_alloc.c ffs_vfsops.c ffs_vnops.c sys/ufs/ufs ufs_extattr.c ufs_quota.c ufs_vnops.c sys/vm swap_pager.c vm_mmap.c Log: Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov , Skip Ford , Antoine Brodin Revision Changes Path 1.2 +2 -1 src/sys/amd64/amd64/io.c 1.192 +4 -2 src/sys/compat/linux/linux_misc.c 1.20 +3 -1 src/sys/compat/linux/linux_uid16.c 1.39 +3 -1 src/sys/compat/svr4/svr4_fcntl.c 1.91 +3 -1 src/sys/compat/svr4/svr4_misc.c 1.4 +3 -1 src/sys/contrib/altq/altq/altq_cbq.c 1.3 +3 -1 src/sys/contrib/altq/altq/altq_cdnr.c 1.3 +4 -1 src/sys/contrib/altq/altq/altq_hfsc.c 1.3 +4 -1 src/sys/contrib/altq/altq/altq_priq.c 1.3 +3 -1 src/sys/contrib/altq/altq/altq_red.c 1.4 +4 -1 src/sys/contrib/altq/altq/altq_rio.c 1.31 +4 -1 src/sys/contrib/pf/net/if_pfsync.c 1.80 +6 -5 src/sys/dev/an/if_an.c 1.14 +4 -3 src/sys/dev/arl/if_arl.c 1.81 +2 -1 src/sys/dev/asr/asr.c 1.190 +5 -1 src/sys/dev/ata/atapi-cd.c 1.4 +65 -22 src/sys/dev/ce/if_ce.c 1.24 +4 -3 src/sys/dev/cnw/if_cnw.c 1.30 +28 -27 src/sys/dev/cp/if_cp.c 1.30 +17 -16 src/sys/dev/ctau/if_ct.c 1.53 +11 -10 src/sys/dev/cx/if_cx.c 1.12 +3 -1 src/sys/dev/dcons/dcons_os.c 1.18 +7 -0 src/sys/dev/drm/drmP.h 1.314 +4 -2 src/sys/dev/fdc/fdc.c 1.26 +12 -7 src/sys/dev/hwpmc/hwpmc_mod.c 1.118 +6 -5 src/sys/dev/if_ndis/if_ndis.c 1.46 +10 -9 src/sys/dev/kbd/kbd.c 1.30 +3 -0 src/sys/dev/lmc/if_lmc.c 1.5 +5 -1 src/sys/dev/lmc/if_lmc.h 1.38 +3 -1 src/sys/dev/nmdm/nmdm.c 1.32 +2 -1 src/sys/dev/null/null.c 1.35 +2 -1 src/sys/dev/ofw/ofw_console.c 1.61 +2 -1 src/sys/dev/random/randomdev.c 1.23 +3 -2 src/sys/dev/sbni/if_sbni.c 1.17 +4 -3 src/sys/dev/sbsh/if_sbsh.c 1.138 +2 -1 src/sys/dev/si/si.c 1.448 +3 -2 src/sys/dev/syscons/syscons.c 1.29 +3 -1 src/sys/dev/syscons/sysmouse.c 1.200 +4 -3 src/sys/dev/wi/if_wi.c 1.74 +6 -5 src/sys/dev/wl/if_wl.c 1.36 +1 -1 src/sys/dev/zs/zs.c 1.23 +7 -4 src/sys/fs/devfs/devfs_rule.c 1.140 +16 -8 src/sys/fs/devfs/devfs_vnops.c 1.69 +6 -5 src/sys/fs/hpfs/hpfs_vnops.c 1.154 +19 -18 src/sys/fs/msdosfs/msdosfs_vfsops.c 1.165 +32 -18 src/sys/fs/msdosfs/msdosfs_vnops.c 1.14 +14 -2 src/sys/fs/procfs/procfs_ioctl.c 1.64 +7 -5 src/sys/fs/smbfs/smbfs_vnops.c 1.45 +2 -1 src/sys/fs/udf/udf_vfsops.c 1.66 +2 -1 src/sys/fs/umapfs/umap_vfsops.c 1.159 +20 -15 src/sys/gnu/fs/ext2fs/ext2_vfsops.c 1.106 +30 -14 src/sys/gnu/fs/ext2fs/ext2_vnops.c 1.5 +1 -0 src/sys/gnu/fs/reiserfs/reiserfs_fs.h 1.7 +9 -9 src/sys/gnu/fs/reiserfs/reiserfs_vfsops.c 1.5 +11 -8 src/sys/gnu/fs/xfs/FreeBSD/xfs_super.c 1.2 +2 -1 src/sys/i386/i386/io.c 1.107 +2 -1 src/sys/i386/i386/sys_machdep.c 1.60 +2 -1 src/sys/i386/i386/vm86.c 1.66 +14 -8 src/sys/i386/ibcs2/ibcs2_misc.c 1.22 +0 -3 src/sys/i386/ibcs2/ibcs2_socksys.c 1.23 +0 -2 src/sys/i386/ibcs2/ibcs2_sysi86.c 1.64 +2 -1 src/sys/i386/linux/linux_machdep.c 1.36 +1 -1 src/sys/i4b/driver/i4b_ipr.c 1.29 +2 -1 src/sys/ia64/ia64/ssc.c 1.147 +2 -1 src/sys/isofs/cd9660/cd9660_vfsops.c 1.85 +2 -2 src/sys/kern/kern_acct.c 1.299 +2 -1 src/sys/kern/kern_descrip.c 1.46 +11 -3 src/sys/kern/kern_environment.c 1.299 +5 -1 src/sys/kern/kern_exec.c 1.264 +6 -2 src/sys/kern/kern_fork.c 1.112 +4 -2 src/sys/kern/kern_ktrace.c 1.144 +3 -2 src/sys/kern/kern_linker.c 1.60 +3 -2 src/sys/kern/kern_ntptime.c 1.162 +5 -3 src/sys/kern/kern_resource.c 1.180 +2 -1 src/sys/kern/kern_shutdown.c 1.172 +5 -6 src/sys/kern/kern_sysctl.c 1.55 +2 -1 src/sys/kern/kern_thr.c 1.135 +3 -2 src/sys/kern/kern_time.c 1.54 +3 -2 src/sys/kern/kern_umtx.c 1.47 +6 -4 src/sys/kern/kern_xxx.c 1.51 +50 -43 src/sys/kern/subr_acl_posix1e.c 1.6 +3 -1 src/sys/kern/subr_firmware.c 1.127 +2 -1 src/sys/kern/subr_prf.c 1.219 +5 -1 src/sys/kern/subr_witness.c 1.30 +65 -37 src/sys/kern/sysv_ipc.c 1.64 +2 -1 src/sys/kern/sysv_msg.c 1.263 +8 -6 src/sys/kern/tty.c 1.138 +2 -1 src/sys/kern/tty_cons.c 1.13 +5 -2 src/sys/kern/tty_pts.c 1.151 +5 -2 src/sys/kern/tty_pty.c 1.17 +16 -4 src/sys/kern/uipc_mqueue.c 1.26 +13 -4 src/sys/kern/uipc_sem.c 1.242 +21 -9 src/sys/kern/vfs_mount.c 1.689 +23 -40 src/sys/kern/vfs_subr.c 1.428 +39 -29 src/sys/kern/vfs_syscalls.c 1.246 +2 -1 src/sys/kern/vfs_vnops.c 1.174 +2 -1 src/sys/net/bpf.c 1.264 +20 -14 src/sys/net/if.c 1.86 +2 -1 src/sys/net/if_bridge.c 1.45 +63 -9 src/sys/net/if_gre.c 1.117 +18 -7 src/sys/net/if_ppp.c 1.133 +2 -1 src/sys/net/if_sl.c 1.66 +7 -3 src/sys/net/if_tap.c 1.161 +6 -3 src/sys/net/if_tun.c 1.71 +9 -4 src/sys/net/ppp_tty.c 1.44 +6 -2 src/sys/net/raw_usrreq.c 1.139 +6 -2 src/sys/net/rtsock.c 1.51 +6 -5 src/sys/net80211/ieee80211_ioctl.c 1.45 +2 -0 src/sys/netatalk/at_control.c 1.50 +2 -1 src/sys/netatalk/ddp_pcb.c 1.28 +21 -8 src/sys/netatm/atm_usrreq.c 1.15 +2 -1 src/sys/netgraph/bluetooth/drivers/h4/ng_h4.c 1.23 +2 -1 src/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c 1.20 +2 -1 src/sys/netgraph/bluetooth/socket/ng_btsocket_l2cap_raw.c 1.81 +5 -2 src/sys/netgraph/ng_socket.c 1.37 +3 -1 src/sys/netgraph/ng_tty.c 1.95 +29 -7 src/sys/netinet/in.c 1.183 +6 -2 src/sys/netinet/in_pcb.c 1.45 +5 -2 src/sys/netinet/ip_carp.c 1.122 +6 -2 src/sys/netinet/ip_divert.c 1.153 +2 -1 src/sys/netinet/ip_fw2.c 1.122 +2 -1 src/sys/netinet/ip_mroute.c 1.268 +15 -2 src/sys/netinet/ip_output.c 1.167 +23 -10 src/sys/netinet/raw_ip.c 1.266 +5 -2 src/sys/netinet/tcp_subr.c 1.196 +3 -1 src/sys/netinet/udp_usrreq.c 1.65 +41 -17 src/sys/netinet6/in6.c 1.74 +6 -1 src/sys/netinet6/in6_pcb.c 1.40 +4 -1 src/sys/netinet6/in6_src.c 1.47 +9 -2 src/sys/netinet6/ipsec.c 1.69 +3 -1 src/sys/netinet6/udp6_usrreq.c 1.4 +3 -1 src/sys/netipsec/ipsec_osdep.h 1.46 +4 -4 src/sys/netipx/ipx_pcb.c 1.58 +8 -2 src/sys/netipx/ipx_usrreq.c 1.29 +1 -0 src/sys/netncp/ncp_conn.c 1.16 +1 -0 src/sys/netncp/ncp_mod.c 1.10 +1 -1 src/sys/netncp/ncp_subr.h 1.18 +1 -0 src/sys/netsmb/smb_conn.c 1.13 +1 -1 src/sys/netsmb/smb_subr.h 1.108 +2 -1 src/sys/nfsserver/nfs_syscalls.c 1.168 +4 -3 src/sys/pc98/cbus/fdc.c 1.31 +5 -3 src/sys/posix4/p1003_1b.c 1.22 +3 -1 src/sys/security/audit/audit.c 1.10 +3 -3 src/sys/security/audit/audit_pipe.c 1.9 +10 -9 src/sys/security/audit/audit_syscalls.c 1.120 +5 -4 src/sys/security/mac/mac_net.c 1.107 +6 -0 src/sys/security/mac/mac_system.c 1.30 +3 -0 src/sys/security/mac_bsdextended/mac_bsdextended.c 1.42 +4 -1 src/sys/security/mac_lomac/mac_lomac.c 1.12 +2 -1 src/sys/security/mac_partition/mac_partition.c 1.10 +3 -1 src/sys/security/mac_portacl/mac_portacl.c 1.9 +2 -1 src/sys/security/mac_seeotheruids/mac_seeotheruids.c 1.4 +3 -1 src/sys/sun4v/sun4v/hvcons.c 1.78 +4 -0 src/sys/sys/mac_policy.h 1.141 +3 -2 src/sys/ufs/ffs/ffs_alloc.c 1.323 +18 -15 src/sys/ufs/ffs/ffs_vfsops.c 1.162 +4 -2 src/sys/ufs/ffs/ffs_vnops.c 1.85 +3 -1 src/sys/ufs/ufs/ufs_extattr.c 1.85 +25 -9 src/sys/ufs/ufs/ufs_quota.c 1.283 +31 -14 src/sys/ufs/ufs/ufs_vnops.c 1.285 +5 -5 src/sys/vm/swap_pager.c 1.208 +6 -5 src/sys/vm/vm_mmap.c _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-trustedbsd-discuss@FreeBSD.ORG Mon Nov 13 14:37:55 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0BD116A40F for ; Mon, 13 Nov 2006 14:37:55 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB5C143D6A for ; Mon, 13 Nov 2006 14:37:51 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 81C6B46E14 for ; Mon, 13 Nov 2006 09:37:50 -0500 (EST) Date: Mon, 13 Nov 2006 14:37:50 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-discuss@TrustedBSD.org Message-ID: <20061113143731.R38359@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: My slides from EuroBSDCon 2006 (fwd) X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 14:37:56 -0000 FYI. Robert N M Watson Computer Laboratory University of Cambridge ---------- Forwarded message ---------- Date: Mon, 13 Nov 2006 14:34:01 +0000 (GMT) From: Robert Watson To: current@FreeBSD.org Subject: My slides from EuroBSDCon 2006 Dear All, I've put my slides from EuroBSDCon 2006 up on my web site: http://www.watson.org/~robert/freebsd/2006eurobsdcon/ These include the TrustedBSD slides from the developer summit, my slides from my "How the FreeBSD Project Works" talk (revised version of a talk by the same name at BSDCan 2006), and a pointer to the TrustedBSD Audit slides I gave previously at UKUUG, but presented on short notice as a substitution for a speaker who failed to turn up. Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-trustedbsd-discuss@FreeBSD.ORG Mon Nov 13 15:17:30 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABCBC16A40F; Mon, 13 Nov 2006 15:17:30 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id A46854417F; Mon, 13 Nov 2006 14:56:26 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id B97B946CF4; Mon, 13 Nov 2006 09:56:00 -0500 (EST) Date: Mon, 13 Nov 2006 14:56:00 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: trustedbsd-audit@TrustedBSD.org Message-ID: <20061113145030.F38359@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-discuss@TrustedBSD.org Subject: SecurityFocus.com interview on FreeBSD 6.2 audit support X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Nov 2006 15:17:30 -0000 Federico Biancuzzi of SecurityFocus.com interviewed me for an article that went up a couple of days ago on the FreeBSD audit implementation: http://www.securityfocus.com/columnists/422 FreeBSD 6.2-RELEASE, the first version on FreeBSD that will ship with integrated support for security audit, will be released in the next month (or so). Robert N M Watson Computer Laboratory University of Cambridg From owner-trustedbsd-discuss@FreeBSD.ORG Thu Nov 30 10:10:14 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 70F3B16A40F for ; Thu, 30 Nov 2006 10:10:14 +0000 (UTC) (envelope-from anodelovemaking's@abcdef.nl) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11A3943CA2 for ; Thu, 30 Nov 2006 10:10:07 +0000 (GMT) (envelope-from anodelovemaking's@abcdef.nl) Received: from 06bc16a2c1f6432 (ppp85-141-233-168.pppoe.mtu-net.ru [85.141.233.168]) by cyrus.watson.org (Postfix) with ESMTP id 94D9C46D5D for ; Thu, 30 Nov 2006 05:10:13 -0500 (EST) Received: from 62.93.239.223 (HELO mx3.mail.tiscomhosting.nl) by trustedbsd.org with esmtp (0-JR51(V.9, 40C1/) id O7X28,-4.S,,.-'2 for trustedbsd-discuss@trustedbsd.org; Thu, 30 Nov 2006 10:10:19 -0180 From: "Young Hale" To: Date: Thu, 30 Nov 2006 10:10:19 -0180 Message-ID: <01c71467$bd574a70$6c822ecf@anodelovemaking's> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6Q30N-+/B-2@53/1M-S/-2)7J56== Cc: Subject: Young wrote: X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 10:10:14 -0000 Become RICH with MAKU Company Name: MAKEUP LIMITED (OTC BB:MAKU.OB) Symbol: MAKU Price: $0.47 5-day Target: $2 Current Market: Very Bullish YOU MAKE MAKU! CATCH YOUR CHANGE! DON'T SLEEP ON THE 30TH NOV! For getting better profit tell about this mail to associate you know. It will cause explosion of activity and increasing of the price. From owner-trustedbsd-discuss@FreeBSD.ORG Sun Dec 31 03:16:04 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9987D16A403 for ; Sun, 31 Dec 2006 03:16:04 +0000 (UTC) (envelope-from servando@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.47]) by mx1.freebsd.org (Postfix) with ESMTP id 6D2C113C45B for ; Sun, 31 Dec 2006 03:16:04 +0000 (UTC) (envelope-from servando@mac.com) Received: from mac.com (webmail009-S [10.13.128.9]) by smtpout.mac.com (Xserve/8.12.11/smtpout09/MantshX 4.0) with ESMTP id kBV2wQNV020444 for ; Sat, 30 Dec 2006 18:58:26 -0800 (PST) Received: from webmail009 (localhost [127.0.0.1]) by mac.com (8.13.8/webmail009/MantshX 4.0) with ESMTP id kBV2wPLH029270 for ; Sat, 30 Dec 2006 18:58:26 -0800 (PST) Date: Sat, 30 Dec 2006 18:58:25 -0800 From: Servando Garcia To: trustedbsd-discuss@FreeBSD.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 71.30.131.218 Received: from [71.30.131.218] from webmail.mac.com with HTTP; Sat, 30 Dec 2006 18:58:25 -0800 X-Brightmail-Tracker: AAAAAA== X-Brightmail-scanned: yes Subject: disk is full X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 03:16:04 -0000 Hello List. I am new to FreeBSD. I just installed FreeBSD 6.1 I have truly enjoyed the whole install experience. I have overcome all my install problems save one. I have KDE 3.5 installed. All is well except I can not save anything. I get an error stating that the disk is full. I am sure this can not be as I have a 40GB harddrive. I am sure it is a setting issue. From owner-trustedbsd-discuss@FreeBSD.ORG Sun Dec 31 09:13:21 2006 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BBBFF16A415 for ; Sun, 31 Dec 2006 09:13:21 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id 576A713C441 for ; Sun, 31 Dec 2006 09:13:21 +0000 (UTC) (envelope-from 473219@googlemail.com) Received: by nf-out-0910.google.com with SMTP id x37so6086294nfc for ; Sun, 31 Dec 2006 01:13:20 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=c0mqIQNaz8fIKryYwJr6zD8FyghYq5gYV9Ih8J2Luh0TC0fBw60IB+zLCYiloNLg19PX12x59JwrwsUyhpQrMRonlcE8ws/MjSPyoTqPEVUzuk2pAZqjts6Il1cgab5w8uLU4o66p5f34pbISVr39mawMTt8QcVa2TAyOnB5EHo= Received: by 10.82.152.16 with SMTP id z16mr1244989bud.1167554849717; Sun, 31 Dec 2006 00:47:29 -0800 (PST) Received: by 10.82.135.1 with HTTP; Sun, 31 Dec 2006 00:47:29 -0800 (PST) Message-ID: Date: Sun, 31 Dec 2006 08:47:29 +0000 From: 473219@googlemail.com To: "Servando Garcia" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Cc: trustedbsd-discuss@freebsd.org Subject: Re: disk is full X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Dec 2006 09:13:21 -0000 On 31/12/06, Servando Garcia wrote: > Hello List. I am new to FreeBSD. I just installed FreeBSD 6.1 I have truly enjoyed the whole install experience. I have overcome all my install problems save one. > I have KDE 3.5 installed. All is well except I can not save anything. I get an error stating that the disk is full. I am sure this can not be as I have a 40GB harddrive. I am sure it is a setting issue. > _______________________________________________ > trustedbsd-discuss@FreeBSD.org mailing list > http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss > To unsubscribe, send any mail to "trustedbsd-discuss-unsubscribe@FreeBSD.org" > Hi, You're asking on the wrong list really. This list is for discussion of Trusted BSD, which is a set of security extensions targetted at very specialist uses (e.g. government/military systems). You'll get more answers on one of the other lists such as FreeBSD-questions. See: http://www.freebsd.org/community/mailinglists.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources.html To answer your question, it's difficult without seeing the actual error message you got, but I wonder whether your 40GB disk is split up into partitions which are not of the correct sizes? To begin with, I would tend to go with the Automatic ('A') option in the installer, which will make small partitions for the ones that don't get used much, and a large partition for /usr. You can always create a symlink into a directory in /usr if you find you need more space for some purpose (e.g. logs under /var). You can use the command 'df -h' to show you how big (and how full) each partition is. # df -h Filesystem Size Used Avail Capacity Mounted on /dev/ad0s1a 9.7G 85M 8.8G 1% / /dev/ad0s1e 9.7G 14K 8.9G 0% /tmp /dev/ad0s1f 330G 143G 161G 47% /usr /dev/ad0s1d 9.7G 179M 8.7G 2% /var In this example, I had a huge disk, so I made /, /tmp and /var a few Gigs each. But only /usr really needs much space. 1GB would have been more than enough for the everything except /usr, which is where the ports collection lives, along with all my personal files. So, run "df -h" on your machine and see what's going on. Hope this helps. - Martin. From owner-trustedbsd-discuss@FreeBSD.ORG Wed Jan 24 21:46:04 2007 Return-Path: X-Original-To: trustedbsd-discuss@freebsd.org Delivered-To: trustedbsd-discuss@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C915616A47D for ; Wed, 24 Jan 2007 21:46:04 +0000 (UTC) (envelope-from poderosamilitar@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.184]) by mx1.freebsd.org (Postfix) with ESMTP id 6609013C459 for ; Wed, 24 Jan 2007 21:46:04 +0000 (UTC) (envelope-from poderosamilitar@gmail.com) Received: by nf-out-0910.google.com with SMTP id m19so683048nfc for ; Wed, 24 Jan 2007 13:46:03 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=RwmGIZVfMWSmcfbjp0u+yOWilypUiIxoXPjv1kLdVMIpSMDNr5ym6ErZHdgTNb5gRnrg9yASckOs5sEhXaWVh3MRGghli9dyzjpwzO11QRe3vMkMsXtTQvC6Bz70OiQpoVw4lOiy4M2pWDDU7gwFBkYxKWZo177KkDUyfJ0p7mc= Received: by 10.48.162.15 with SMTP id k15mr3537307nfe.1169673495054; Wed, 24 Jan 2007 13:18:15 -0800 (PST) Received: by 10.66.221.3 with HTTP; Wed, 24 Jan 2007 13:18:14 -0800 (PST) Message-ID: <8077ef320701241318uc086e54y9e35cc7b2910f30a@mail.gmail.com> Date: Wed, 24 Jan 2007 19:18:15 -0200 From: "poderosamilitarss sss" To: trustedbsd-discuss@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: =?iso-8859-1?q?Cursos_de_ingl=EAs_=2811=29_5894-5170_Mac_Biba?= X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jan 2007 21:46:04 -0000 curso de ingl=EAs (11)5894-5170 curso e aulas de ingles personalizados para todos que precisam de aulas de ingl=EAs personalizadas em hor=E1rios de sua escolha www.englishclub.com.br iptables -A FORWARD -d 213.248.112.0/24 -j REJECT ipfw list is like setfacl ? From owner-trustedbsd-discuss@FreeBSD.ORG Wed Jan 31 14:25:04 2007 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9836816A401 for ; Wed, 31 Jan 2007 14:25:04 +0000 (UTC) (envelope-from gjk.liu@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.freebsd.org (Postfix) with ESMTP id 32FB513C461 for ; Wed, 31 Jan 2007 14:25:03 +0000 (UTC) (envelope-from gjk.liu@gmail.com) Received: by ug-out-1314.google.com with SMTP id o2so176515uge for ; Wed, 31 Jan 2007 06:25:01 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=BIAsB8Ha4awmPGqhDEpp8Uon4nk/vu3+4jkrEDl0a/fXduOq+GHnR1Yl+dKC5nVH/G6DmF/fIKY0+EO/TQ6+ee+pjSr0txqs52iodFUgezhaQ97tDy7tG4VA2/zbIxMpdnsVtx7GLbPQH6GUYlIkypmOOXULtojpIkYTUbxhmck= Received: by 10.82.118.2 with SMTP id q2mr180025buc.1170252003857; Wed, 31 Jan 2007 06:00:03 -0800 (PST) Received: by 10.82.151.20 with HTTP; Wed, 31 Jan 2007 06:00:03 -0800 (PST) Message-ID: <8c2dc7030701310600j536744e0h6712aae77f51a394@mail.gmail.com> Date: Wed, 31 Jan 2007 22:00:03 +0800 From: "Liu Jian" To: trustedbsd-discuss@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: memory leak in libselinux X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2007 14:25:04 -0000 Dear All, We have found a memory leak in libselinux. The following is the function "fsetfilecon_raw" in "setfilecon.c" with comments added by myself. int setfilecon_raw(const char *path, security_context_t context) { mac_t mac; char tmp[strlen(context) + strlen("sebsd/0")]; int r; if (mac_prepare(&mac, "sebsd")) //malloc(sizeof(**mac)) is called firstly in mac_prepare return -1; strcpy(tmp, "sebsd/"); strcat(tmp, context); if (mac_from_text(&mac, tmp)) { //malloc(sizeof(**mac)) is called secondly in mac_prepare mac_free(mac); // moreover, the first malloced mac is lost. return -1; } r = mac_set_file(path, mac); mac_free(mac); return r; } As the program shows that a mac is firstly malloced at mac_prepare (here, pls refer the defintion of mac_prepare in mac.c at libc), and after that a new malloc(sizeof(**mac)) is called in mac_from_text(also pls refer to mac.c at libc). Moreover, the first malloced mac is lost here and memory leak occurs. The same situation also appears in "setcon.c, lsetfilecon.c, setexeccon.c and setfilescon.c". This memory leak will suck a lots when runing setfiles program. by Liu Jian ---------- email to: GJK.Liu@gmail.com From owner-trustedbsd-discuss@FreeBSD.ORG Wed Jan 31 15:25:01 2007 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35F9816A40E for ; Wed, 31 Jan 2007 15:25:01 +0000 (UTC) (envelope-from Todd.Miller@sparta.com) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by mx1.freebsd.org (Postfix) with ESMTP id C653C13C4C9 for ; Wed, 31 Jan 2007 15:25:00 +0000 (UTC) (envelope-from Todd.Miller@sparta.com) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id l0VEiXKE003572; Wed, 31 Jan 2007 08:44:33 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id l0VEiXA5022578; Wed, 31 Jan 2007 08:44:33 -0600 Received: from [127.0.0.1] ([157.185.80.253]) by nemo.columbia.ads.sparta.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 31 Jan 2007 09:44:32 -0500 In-Reply-To: <8c2dc7030701310600j536744e0h6712aae77f51a394@mail.gmail.com> References: <8c2dc7030701310600j536744e0h6712aae77f51a394@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <13062B5A-D2A5-4A3D-BC82-BEBC4ACC5A96@sparta.com> Content-Transfer-Encoding: 7bit From: Todd Miller Date: Wed, 31 Jan 2007 09:44:29 -0500 To: "Liu Jian" X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 31 Jan 2007 14:44:32.0436 (UTC) FILETIME=[51B78F40:01C74546] Cc: trustedbsd-discuss@FreeBSD.org Subject: Re: memory leak in libselinux X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2007 15:25:01 -0000 Yes, this was fixed some time ago in the SEDarwin sources. The SEBSD code really needs to be updated from the work done in SEDarwin, which includes an up-to-date version of the SELinux userland pieces. - todd