From sds at tycho.nsa.gov  Thu Oct  9 07:24:33 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Thu, 9 Oct 2008 07:24:33 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Move create hooks into
	filesystem code, mediate open of	existing file
Message-ID: <200810091424.m99EOXC5017015@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 098ba4106c40de0c17ba04070b22a483a8b93501
Total changesets: 1
Log message:
[fmac-discuss] [PATCH] Move create hooks into filesystem code, mediate open of	existing file
Move the fmac_vnode_create() and post_create() hooks from fop_create()
into zfs_create() so that they are only applied on new file creation,
and call the fmac_vnode_access() hook from zfs_create() when opening an
existing file.  Similar hooking will be needed for other filesystem
types like tmpfs as well.

Also move the corresponding hook calls from fop_mkdir() into zfs_mkdir()
for consistency with create although we don't have the same problem
there with distinguishing create from open at the fop layer.

The wrapping of the vattr with an xvattr is put back into
fmac_vnode_create() as it was before.  Ultimately all callers of
VOP_CREATE will likely be changed to pass xvattrs in the first place,
thereby eliminating the need for such wrapping by the FMAC code.

Taking the call to fmac_vnode_access() into zfs_zaccess() will be
explored in subsequent patches.

Webrev is available at: http://cr.opensolaris.org/~sds/create/

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/vnode.c
	update: usr/src/uts/common/fs/zfs/zfs_vnops.c
	update: usr/src/uts/common/sys/vnode.h


From sds at tycho.nsa.gov  Thu Oct  9 07:24:34 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Thu, 9 Oct 2008 07:24:34 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Move fmac_vnode_access() hook
	to zfs_zaccess()
Message-ID: <200810091424.m99EOY14017019@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 08be291fa804b61a631d60a363100d89faec0a35
Total changesets: 1
Log message:
[fmac-discuss] [PATCH] Move fmac_vnode_access() hook to zfs_zaccess()
Extend fmac_vnode_access() to understand ACE masks as well as
traditional modes, and move the calls to it from fop_access() and
zfs_create() into zfs_zaccess().  The access functions of other
filesystems would need to be similarly instrumented, although they can
pass conventional modes rather than ACE masks since fmac_vnode_access()
understands both and distinguishes them based on flags.

Note btw that extending fmac_vnode_access() to understand ACE masks is
required regardless of whether we call it from fop_access() or
zfs_zaccess() since callers of VOP_ACCESS() can pass ACE masks (as in
the nfs4 and smbsrv cases).

fmac_vnode_access() is only called if the normal zfs_zaccess() logic
would grant the access (i.e. either the base DAC logic or the secpolicy
hook authorized it).  The secpolicy hook is not allowed to override a
FMAC denial.

One immediate benefit of taking the FMAC hook into zfs_zaccess is that
we get proper checking against the base file when a named attribute is
accessed, e.g. runat /etc/passwd cp /tmp/foo attr.1 fails as expected
with a setattr denial.  We also gain more complete coverage of file
operations.

I looked at moving the fmac_vnode_access() hook inside of
zfs_zaccess_common(), but it seemed better to do it in zfs_zaccess()
because:
1) We can then place it after both the base DAC logic and the privilege
check.
2) We do not gain any benefit from checking all calls to
zfs_zaccess_common() since other callers like zfs_zaccess_delete() and
_rename() short-circuit their checking if access to the directory is
granted, whereas we want checking against the target file in all cases
and thus still need our separate hooks for those operations.

Some of the other FMAC checks may be obsoleted by taking
fmac_vnode_access() into zfs_zaccess(), but this requires a case-by-case
review and testing as callers of zfs_zaccess() do not always honor a
denial from it (can be overridden by other secpolicy calls), as in the
setattr case.

This is relative to the prior patch for the create hooks.

Webrev is available at:
http://cr.opensolaris.org/~sds/zaccess/

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/vnode.c
	update: usr/src/uts/common/fs/zfs/zfs_acl.c
	update: usr/src/uts/common/fs/zfs/zfs_vnops.c


From sds at tycho.nsa.gov  Thu Oct  9 07:24:35 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Thu, 9 Oct 2008 07:24:35 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Distinguish append vs. write
	in	fmac_vnode_access()
Message-ID: <200810091424.m99EOZbw017025@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 2b795f3baa584d2ed260441e2f37af0baece205b
Total changesets: 1
Log message:
[fmac-discuss] [PATCH] Distinguish append vs. write in fmac_vnode_access()
The prior patch that extended fmac_vnode_access() to understand ACE
masks and moved the call to it from fop_access() to zfs_zaccess() did
not properly distinguish append vs. write access unlike the original
fmac_vnode_access() handling of traditional modes.  This patch, on top
of the prior one, passes the flags down from zfs_zaccess() to
fmac_vnode_access() and handles the V_APPEND flag by remapping
ACE_WRITE_DATA mode to FILE__APPEND permission when it is set.

Webrev is available at:  http://cr.opensolaris.org/~sds/append

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/zfs/zfs_acl.c


From sds at tycho.nsa.gov  Fri Oct 10 05:40:45 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 10 Oct 2008 05:40:45 -0700 (PDT)
Subject: [fmac-notify] Change sysattr_list() to only return non-default
	attributes
Message-ID: <200810101240.m9ACejBg007198@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 83bea1900f31d28767107ea342c333684c84328e
Total changesets: 1
Log message:
Change sysattr_list() to only return non-default attributes
Per Mark's suggestion, change sysattr_list() in libcmdutils to only
return non-default attributes.  This appears to fix the problems with cp
-p and mv from ZFS to ZFS and from ZFS to tmpfs, as it no longer tries
to set the other system attributes.

I just changed the logic to remove any attributes from the response list
that had the default values and then return the modified response list
rather than immediately returning the entire response list whenever a
non-default attribute was found.

Webrev at:  http://cr.opensolaris.org/~sds/sysattrlist/

Files:
	update: usr/src/lib/libcmdutils/common/process_xattrs.c


From sds at tycho.nsa.gov  Fri Oct 10 05:40:46 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 10 Oct 2008 05:40:46 -0700 (PDT)
Subject: [fmac-notify] Labeled tmpfs support
Message-ID: <200810101240.m9ACekvp007202@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: fbb450806b759a111f6d84170cb8486ec5d3f7d7
Total changesets: 1
Log message:
Labeled tmpfs support
Take 3 of the labeled tmpfs support.  With the change to sysattr_list(),
it is no longer a problem to return EINVAL on any of the default system
attributes in tmp_setattr.  We will still need to address the removal of
VFSFT_XVATTR from tmpfs when we rebase to snv_100+ by introducing a
VFSFT_XVATTR_SECCTX or implementing the default system attributes in
tmpfs.

The root directory of a tmpfs mount is initially labeled from the mount
point directory, as with the existing uid/gid/mode assignment.  Thus,
for example, one can umount /tmp from single-user mode and setfilecon
the mount point directory to system_u:object_r:tmp_t in order to get the
tmpfs mount to pick up that context on subsequent mounts.  John also
found that we can label the other tmpfs mount points by moving setfiles
to /sbin and invoking it from /lib/svc/method/fs-minimal
on /tmp, /var/run and any other tmpfs mount points.

Files and directories created in the tmpfs mount are then labeled via
the fmac_vnode_create and post_create hooks as in ZFS, except that we do
not need to set up an xvattr on the file creation code path since there
is no storage of the secctx and we only need to set up the incore secid
on the vnode.

Upon tmp_getattr, the fmac_vnode_get_secctx() hook is invoked to get the
secctx from the secid in order to pass back to userspace.  Upon
tmp_setattr, the secpolicy hook will ultimately call
fmac_vnode_set_secctx() and update the vnode secid, so we only need to
set the return flag for XAT_SECCTX.

A call to fmac_vnode_access() is inserted into tmp_taccess() to apply a
FMAC permission check whenever the existing tmpfs permission checks
would grant access.  This uses conventional modes and thus does not pass
V_ACE_MASK.  A call to fmac_vnode_remove() is inserted into
tmp_sticky_remove_access() as an initial cut at mediating removal of
files in tmpfs, although this may need to be taken to the callers when
rename checking is introduced.

Webrev at:  http://cr.opensolaris.org/~sds/tmpfs3/

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/tmpfs/tmp_subr.c
	update: usr/src/uts/common/fs/tmpfs/tmp_vfsops.c
	update: usr/src/uts/common/fs/tmpfs/tmp_vnops.c
	update: usr/src/uts/common/sys/fmac/fmac.h


From john.weeks at sun.com  Wed Oct 15 08:16:44 2008
From: john.weeks at sun.com (john.weeks at sun.com)
Date: Wed, 15 Oct 2008 08:16:44 -0700 (PDT)
Subject: [fmac-notify] [PATCH] Initialize v_secid in ZFS before
	first	zfs_zaccess()
Message-ID: <200810151516.m9FFGilc002978@oss-app2.opensolaris.org>

Author: John Weeks <john.weeks at sun.com>
Repository: /hg/fmac/fmac-gate
Latest revision: 5619e6e27d7c37adc2ffbcbd166c9704528b5fcb
Total changesets: 1
Log message:
[PATCH] Initialize v_secid in ZFS before first	zfs_zaccess()

Move the initialization of v_secid for ZFS down to where the znode is
initialized to ensure v_secid is valid before the first zfs_zaccess
check. This corrects policy failures that were observed when removing files.

fmac_vnode_lookup() was trying to retrieve the context on file systems
that did not support system attributes, thus setting v_secid to the
wrong value (SECINITSID_FILE).

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/zfs/zfs_znode.c
	update: usr/src/uts/common/sys/fmac/fmac.h


From sds at tycho.nsa.gov  Thu Oct 16 05:48:19 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Thu, 16 Oct 2008 05:48:19 -0700 (PDT)
Subject: [fmac-notify] Rework the AVC interface and locking. Introduce an
	avc_compute_av()
Message-ID: <200810161248.m9GCmJ4D010567@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 8e2e92a9a471eed8ec1f3f469f5b684df3dc2d68
Total changesets: 1
Log message:
Rework the AVC interface and locking.  Introduce an avc_compute_av()
interface for getting complete access vectors from the AVC.  Reduce down
to a single avc_has_perm() interface rather than supporting multiple
variants with different arguments.  Drop AVC entry references from the
interface.  Take more of the AVC definitions and functions private to
avc.c.  Convert the AVC lock from a mutex to a read-write lock.
Introduce a separate lock for the AVC audit buffer.

The avc_compute_av() interface should be helpful in e.g. computing
privilege sets where we want to do more than get a success/fail for a
set of requested permissions.  The locking changes should improve
scalability although finer-grained locking may be necessary, e.g. taking
the locks to the individual avc hash buckets and nodes.

Webrev at:  http://cr.opensolaris.org/~sds/avc/

Files:
	update: usr/src/uts/common/fmac/avc.c
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/sys/fmac/avc.h
	update: usr/src/uts/common/syscall/fmacsys.c


From sds at tycho.nsa.gov  Thu Oct 16 05:48:20 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Thu, 16 Oct 2008 05:48:20 -0700 (PDT)
Subject: [fmac-notify] Export AVC stats via kstat
Message-ID: <200810161248.m9GCmKH8010571@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 711c35fb7932b6222e1d3d2eb52091e4da8e18dd
Total changesets: 1
Log message:
Export AVC stats via kstat
Export basic AVC statistics using kstat, along with a few other minor
cleanups of the AVC.  Relative to the prior AVC interface/locking patch.

Still to-do:  Export avc_hash_stats in some manner upon request by
userspace, and either export avc_dump_cache in some manner or drop it.

Example output after this patch:
$ kstat -m avc
module: avc                             instance: 0
name:   avcstats                        class:    misc
        avchits                         498329
        avclookups                      498582
        avcmisses                       253
        avcprobes                       879284
        crtime                          17.180095603
        snaptime                        366.184087142

Interpretation of the above output:  For permission checks that have
occurred thus far while the system is running, we found the desired
entry in the AVC 498,329 out of 498,582 times (99.95%), only having to
call the security server 253 times.  When we found the entry in the AVC,
we had to look at an average of 879,284 / 498,329 == 1.76 entries before
finding the right one in the hash chain.

Webrev at: http://cr.opensolaris.org/~sds/avckstat/

Files:
	update: usr/src/uts/common/fmac/avc.c
	update: usr/src/uts/common/sys/fmac/avc.h


From sds at tycho.nsa.gov  Fri Oct 17 10:42:39 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 17 Oct 2008 10:42:39 -0700 (PDT)
Subject: [fmac-notify] Fix setting of prev_secid
Message-ID: <200810171742.m9HHgdSj016498@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: dc5a88b1d0939cd26c025f33abe1386d1397b296
Total changesets: 1
Log message:
Fix setting of prev_secid
prev_secid is supposed to track the security context prior to the last
exec so that applications can get the context of their caller using
getprevcon().  This requires the prev_secid to be updated at times other
than when the secid is changing.  This patch changes the fmac_exec() and
gexec() logic accordingly to ensure that the prev_secid is updated as
needed.  In the case where the prior exec was a secid transition and the
current exec is not changing credentials, this requires a new cred in
order to update the prev_secid.  We may migrate the prev_secid out of
the cred and into a per-process structure (as in Linux) in the future.

Webrev at: http://cr.opensolaris.org/~sds/prevsecid/

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/os/exec.c


From sds at tycho.nsa.gov  Fri Oct 17 10:42:38 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 17 Oct 2008 10:42:38 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Fix cstyle issues in avc.c
Message-ID: <200810171742.m9HHgcQi016491@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 2b3705cc2d651502ff4ff41ab99d312d58ec1137
Total changesets: 1
Log message:
[fmac-discuss] [PATCH] Fix cstyle issues in avc.c
Fix cstyle issues in avc.c reported by cstyle -cpP.

Files:
	update: usr/src/uts/common/fmac/avc.c


From sds at tycho.nsa.gov  Fri Oct 17 10:42:38 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 17 Oct 2008 10:42:38 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Fix more cstyle issues
Message-ID: <200810171742.m9HHgcK1016494@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: f9ded24b041a99cab19234cefb9d082e570e267c
Total changesets: 1
Log message:
[fmac-discuss] [PATCH] Fix more cstyle issues
Fix more cstyle issues introduced by prior patches, in particular the
hasprocperm patch and the secctx patch.

uts/common/syscall/lgrpsys.c is still not clean with regard to
continuation indentation but the remaining warnings were not introduced
by our patches.

Files:
	update: usr/src/uts/common/contract/process.c
	update: usr/src/uts/common/disp/class.c
	update: usr/src/uts/common/fs/xattr.c
	update: usr/src/uts/common/os/cpu.c
	update: usr/src/uts/common/os/klpd.c
	update: usr/src/uts/common/syscall/corectl.c
	update: usr/src/uts/common/syscall/lgrpsys.c


From sds at tycho.nsa.gov  Fri Oct 17 10:42:37 2008
From: sds at tycho.nsa.gov (sds at tycho.nsa.gov)
Date: Fri, 17 Oct 2008 10:42:37 -0700 (PDT)
Subject: [fmac-notify] [fmac-discuss] [PATCH] Move link/setattr hooks
	into	filesystem	code
Message-ID: <200810171742.m9HHgbeY016486@oss-app2.opensolaris.org>

Author: Stephen Smalley <sds at tycho.nsa.gov>
Repository: /hg/fmac/fmac-gate
Latest revision: 76e5e255416999bf24ee5846fe6c1979ff88c127
Total changesets: 1
Log message:
Re: [fmac-discuss] [PATCH] Move link/setattr hooks into filesystem	code
On Thu, 2008-10-16 at 23:18 -0700, John Weeks wrote:
> On 10/16/08 07:48, Stephen Smalley wrote:
> > Move the remaining FMAC permission checking hooks (link, setattr) from
> > the fop layer into the filesystem code for consistency with the other
> > permission checking hooks.  This also allows fmac_vnode_link() to occur
> > after the VOP_REALVP call by the filesystem code and thus not need to
> > separately invoke it.   The fmac_vnode_link() hook is required in order
> > to check link permission to the target file.  The fmac_vnode_setattr()
> > hook is required in order to ensure that setattr permission to the
> > target file is always checked, as the existing zfs access checks can be
> > overridden by the various secpolicy hooks called by zfs_setattr().  This
> > might be later obsoleted by the integration of FMAC and privileges.
> >
> > Webrev at:  http://cr.opensolaris.org/~sds/linksetattr/
>
> Acked-by:  John Weeks <john.weeks at sun.com>
>
> Please resolve cstyle issue before pushing.

Revised patch to fix all cstyle issues reported by cstyle -cpP on all
files modified by this patch.

Files:
	update: usr/src/uts/common/fmac/fmac.c
	update: usr/src/uts/common/fs/tmpfs/tmp_vnops.c
	update: usr/src/uts/common/fs/vnode.c
	update: usr/src/uts/common/fs/zfs/zfs_vnops.c
	update: usr/src/uts/common/sys/fmac/fmac.h


From john.weeks at sun.com  Wed Oct 29 12:16:47 2008
From: john.weeks at sun.com (john.weeks at sun.com)
Date: Wed, 29 Oct 2008 12:16:47 -0700 (PDT)
Subject: [fmac-notify] fmac-gate merge before push
Message-ID: <200810291916.m9TJGlSc014529@oss-app2.opensolaris.org>

Author: John Weeks <john.weeks at sun.com>
Repository: /hg/fmac/fmac-gate
Latest revision: da5be6cc4191b545a9ef56b84cb6378fc980bb9b
Total changesets: 1
Log message:
fmac-gate merge before push

Files:


From john.weeks at sun.com  Wed Oct 29 12:16:47 2008
From: john.weeks at sun.com (john.weeks at sun.com)
Date: Wed, 29 Oct 2008 12:16:47 -0700 (PDT)
Subject: [fmac-notify] [PATCH] newrole, fmacsetup and policy updates
Message-ID: <200810291916.m9TJGlnt014526@oss-app2.opensolaris.org>

Author: John Weeks <john.weeks at sun.com>
Repository: /hg/fmac/fmac-gate
Latest revision: a5fda081c83b1c9c7ba39f7c6fb3a5666f620a5f
Total changesets: 1
Log message:
[PATCH] newrole, fmacsetup and policy updates

This patch represents the final set of changes for our Alpha 3 release.

Files:
	create: usr/src/cmd/fmac/fmacsetup/Makefile
	create: usr/src/cmd/fmac/fmacsetup/fmacsetup.sh
	create: usr/src/cmd/fmac/newrole/Makefile
	create: usr/src/cmd/fmac/newrole/newrole.c
	create: usr/src/cmd/fmac/policy/domains/program/mozilla.te
	delete: usr/src/cmd/fmac/policy/domains/program/netscape.te
	update: usr/src/cmd/fmac/Makefile
	update: usr/src/cmd/fmac/policy/Makefile
	update: usr/src/cmd/fmac/policy/domains/admin/sysadm.te
	update: usr/src/cmd/fmac/policy/domains/every.te
	update: usr/src/cmd/fmac/policy/domains/program/gnome-pty-helper.te
	update: usr/src/cmd/fmac/policy/domains/program/ifconfig.te
	update: usr/src/cmd/fmac/policy/domains/program/newrole.te
	update: usr/src/cmd/fmac/policy/domains/system/portmap.te
	update: usr/src/cmd/fmac/policy/domains/system/syslogd.te
	update: usr/src/cmd/fmac/policy/domains/user/user.te
	update: usr/src/cmd/fmac/policy/file_contexts
	update: usr/src/cmd/fmac/policy/rbac
	update: usr/src/cmd/fmac/policy/users
	update: usr/src/cmd/fmac/setfiles/Makefile
	update: usr/src/cmd/svc/milestone/fs-root
	update: usr/src/pkgdefs/SUNWcsr/prototype_com
	update: usr/src/pkgdefs/SUNWesu/prototype_com


From john.weeks at sun.com  Wed Oct 29 12:57:47 2008
From: john.weeks at sun.com (john.weeks at sun.com)
Date: Wed, 29 Oct 2008 12:57:47 -0700 (PDT)
Subject: [fmac-notify] Added tag fmac_alpha3 for changeset da5be6cc4191
Message-ID: <200810291957.m9TJvldu028641@oss-app2.opensolaris.org>

Author: John Weeks <john.weeks at sun.com>
Repository: /hg/fmac/fmac-gate
Latest revision: 15405b8c3bd384e068216287ca7c3c2cb766149a
Total changesets: 1
Log message:
Added tag fmac_alpha3 for changeset da5be6cc4191

Files:
	update: .hgtags