PERFORCE change 111493 for review

Mon Dec 11 14:16:37 PST 2006

http://perforce.freebsd.org/chv.cgi?CH=111493

Change 111493 by millert at millert_g5tower on 2006/12/11 21:46:25

	Rip out base policy support; it doesn't really add security.
	The only real way to guarantee that a module is loaded is
	to link it statically.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/Makeconfig.in#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#31 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#34 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/Makefile#4 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/Makeconfig.in#3 (text+ko) ====

@@ -1,6 +1,6 @@
 
 # List the security modules you want to use
-SECURITY_MODULES ?= basetest sedarwin
+SECURITY_MODULES ?= sedarwin
 
 #
 # You shouldn't have to edit anything else

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_base.c#31 (text+ko) ====

@@ -148,13 +148,6 @@
  */
 extern zone_t mac_audit_data_zone;
 
-/* 
- * mac_static_base_mpc holds a pointer to the single instance of the base
- * policy MAC configuration structure. This pointer must be set at boot,
- * before the BSD init function is called.
- */
-struct mac_policy_conf *mac_static_base_mpc = NULL;
-
 /*
  * mac_policy_list holds the list of policy modules.  Modules with a
  * handle lower than staticmax are considered "static" and cannot be
@@ -438,11 +431,6 @@
 	struct mac_policy_conf *mpc;
 	u_int i;
 
-	if (mac_static_base_mpc == NULL)
-		panic("Base MAC policy is not registered");
-	else 
-		mac_static_base_mpc->mpc_ops->mpo_base_notify_finalize();
-
 	mac_audit_data_zone = zinit(MAC_AUDIT_DATA_LIMIT,
 				    AQ_HIWATER * MAC_AUDIT_DATA_LIMIT,
 				    8192, "mac_audit_data_zone");
@@ -644,40 +632,6 @@
 #endif
 }
 
-static void
-mac_base_policy_register(struct mac_policy_conf *mpc)
-{
-	int error; 
-	u_int i;
-	struct mac_policy_conf *lmpc;
-
-	if (mac_static_base_mpc != NULL)
-		panic("Attempt to load second MAC base policy");
-
-	mac_static_base_mpc = mpc;
-
-	/*
-	 * Tell the base policy about the static already-loaded modules.
-	 * This code is executed at boot time. The base policy is
-	 * responsible for halting the system, if desired. Otherwise
-	 * the previously loaded module will stay in place.
-	 */
-	for (i = 0; i < mac_policy_list.staticmax; i++) {
-		lmpc = mac_get_mpc(i);
-		if (lmpc == NULL) 
-			continue;
-		/* For now we'll check every policy regardless of dynamic flag.
-		   If by some freak occurance a dynamic policy is loaded at
-		   this point it needs to be approved as well. 
-		*/ 
-		error =
-		    mac_static_base_mpc->mpc_ops->mpo_base_check_module_load(lmpc);
-		if (error != 0)
-			printf("Module %s is not approved for loading.\n",
-			    lmpc->mpc_name);
-	}
-}
-
 static __inline void
 mac_policy_fixup_mmd_list(struct mac_module_data *new)
 {
@@ -751,17 +705,6 @@
 		mac_policy_grab_exclusive();
 	}
 
-	/* Call the base module to approve the loading of this MAC module. */
-	if (mac_static_base_mpc != NULL) {
-		error =
-		    mac_static_base_mpc->mpc_ops->mpo_base_check_module_load(mpc);
-		if (error != 0) {
-			printf("Module %s is not approved for loading.\n",
-			    mpc->mpc_name);
-			goto out;
-		}
-	}
-
 	if (mac_policy_list.numloaded >= mac_policy_list.max) {
 		/* allocate new policy list array, zero new chunk */
 		tmac_policy_list_element =
@@ -867,9 +810,6 @@
 
 	mac_policy_updateflags();
 
-	if ((mpc->mpc_loadtime_flags & MPC_LOADTIME_BASE_POLICY) != 0)
-		mac_base_policy_register(mpc);
-
 	if (mac_late)
 		mac_policy_release_exclusive();
 
@@ -905,17 +845,6 @@
 		return (0);
 	}
 
-	/* Call the base module to approve the unloading of this MAC module. */
-	if (mac_static_base_mpc != NULL) {
-		error =
-		    mac_static_base_mpc->mpc_ops->mpo_base_check_module_unload(mpc);
-		if (error != 0) {
-			printf("Module %s is not approved for unloading.\n",
-			    mpc->mpc_name);
-			mac_policy_release_exclusive();
-			return (EBUSY);
-		}
-	}
 #if 0
 	/*
 	 * Don't allow unloading modules with private data.

==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#34 (text+ko) ====

@@ -185,48 +185,6 @@
 	void *args
 );
 /**
-  @brief Base Policy approve MAC module load event
-  @param mpc MAC policy configuration
-
-  This function is called when a MAC policy is loaded. The Base policy
-  can perform a series of checks on the MAC policy, and return 0
-  if the MAC policy load is approved, non-zero otherwise. In the non-zero
-  case, the MAC framework will not incorporate the policy, and the failure
-  will be logged.
-
-  @return On success, 0, otherwise, an appropriate errno return value.
-*/
-typedef int mpo_base_check_module_load_t(
-	struct mac_policy_conf *mpc
-);
-/**
-  @brief Base Policy approve MAC module unload event
-  @param mpc MAC policy configuration
-
-  This function is called when a MAC policy is unloaded. The Base policy
-  can perform a series of checks on the MAC policy, and return 0
-  if the MAC policy unload is approved, non-zero otherwise. In the non-zero
-  case, the MAC framework will not unload the policy, and the failure
-  will be logged.
-
-  @return On success, 0, otherwise, an appropriate errno return value.
-*/
-typedef int mpo_base_check_module_unload_t(
-	struct mac_policy_conf *mpc
-);
-/**
-  @brief Base Policy finalize event
-
-  This function is called when the MAC framework is finishing its setup
-  during BSD subsystem initilization. The Base policy can perform a final
-  check on MAC policy registrations, and panic the system if so desired.
-  A return from this function means that the MAC framework is ready to go.
-  As an example, the Base policy can check a list of required
-  MAC policies, and if not all are present, panic.
-
-*/
-typedef void mpo_base_notify_finalize_t(void);
-/**
   @brief Indicate desire to change the process label at exec time
   @param old Existing subject credential
   @param vp File being executed
@@ -5028,9 +4986,6 @@
 struct mac_policy_ops {
 	mpo_audit_check_postselect_t		*mpo_audit_check_postselect;
 	mpo_audit_check_preselect_t		*mpo_audit_check_preselect;
-	mpo_base_check_module_load_t		*mpo_base_check_module_load;
-	mpo_base_check_module_unload_t		*mpo_base_check_module_unload;
-	mpo_base_notify_finalize_t		*mpo_base_notify_finalize;
 	mpo_cred_check_label_update_execve_t	*mpo_cred_check_label_update_execve;
 	mpo_cred_check_label_update_t		*mpo_cred_check_label_update;
 	mpo_cred_check_visible_t		*mpo_cred_check_visible;

==== //depot/projects/trustedbsd/sedarwin8/policies/Makefile#4 (text+ko) ====

@@ -1,5 +1,5 @@
-SUBDIR=		basetest color console count device_access extattr_test \
-		fwinteg ipctrace mls multilabel none readonly stacktrace \
+SUBDIR=		color console count device_access extattr_test \
+		ipctrace mls multilabel none readonly stacktrace \
 		stub test vanity xattr
 SUBDIR+=	sedarwin
 
