diff --git a/lib/libugidfw/Makefile b/lib/libugidfw/Makefile index 51dfeb9da1e1..1eb43d0fe24e 100644 --- a/lib/libugidfw/Makefile +++ b/lib/libugidfw/Makefile @@ -5,4 +5,12 @@ SHLIB_MAJOR= 1 SRCS= ugidfw.c INCS= ugidfw.h +MAN+= bsde_get_rule.3 bsde_get_rule_count.3 bsde_parse_rule.3 \ + bsde_rule_to_string.3 libugidfw.3 + +MLINKS= bsde_get_rule.3 bsde_delete_rule.3 +MLINKS+= bsde_get_rule.3 bsde_set_rule.3 +MLINKS+= bsde_get_rule_count.3 bsde_get_rule_slots.3 +MLINKS+= bsde_parse_rule.3 bsde_parse_rule_string.3 + .include diff --git a/lib/libugidfw/bsde_get_rule.3 b/lib/libugidfw/bsde_get_rule.3 new file mode 100644 index 000000000000..72136528f13d --- /dev/null +++ b/lib/libugidfw/bsde_get_rule.3 @@ -0,0 +1,122 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates +.\" Laboratories, the Security Research Division of Network Associates, +.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part +.\" of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd JANUARY 7, 2003 +.Os +.Dt BSDE_GET_RULE 3 +.Sh NAME +.Nm bsde_get_rule , +.Nm bsde_set_rule , +.Nm bsde_delete_rule +.Nd file system firewall rules list management +.Sh LIBRARY +.Lb libugidfw +.Sh SYNOPSIS +.In ugidfw.h +.Ft int +.Fn bsde_get_rule "int rulenum" "struct mac_bsdextended_rule *rule" "size_t errlen" "char *errstr" +.Ft int +.Fn bsde_set_rule "int rulenum" "struct mac_bsdextended_rule *rule" "size_t errlen" "char *errstr" +.Ft int +.Fn bsde_delete_rule "int rulenum" "size_t errlen" "char *errstr" +.Sh DESCRIPTION +The +.Fn bsde_get_rule +function fills in +.Fa *rule +with the rule numbered +.Fa rulenum . +If an error occurs, +.Fa *errstr +is filled in with the error string +(up to +.Fa errlen +characters, including the terminating NUL). +.Pp +The +.Fn bsde_set_rule +function fills the slot numbered +.Fa rulenum +with the specified rule +(in +.Vt "struct mac_bsdextended_rule" +form, either from +.Xr bsde_get_rule 3 +or +.Xr bsde_parse_rule 3 ) . +If an error occurs, +.Fa *errstr +is filled with the error string +(up to +.Fa errlen +characters, including the terminating NUL). +.Pp +The +.Fn bsde_delete_rule +function deletes the rule numbered +.Fa rulenum . +If an error occurs, +.Fa *errstr +is filled with the error string +(up to +.Fa errlen +characters, including the terminating NUL). +.Sh RETURN VALUES +The +.Fn bsde_get_rule , +.Fn bsde_set_rule , +and +.Fn bsde_delete_rule +functions return +.Li 0 +if successful; +otherwise the value +.Li \&-1 +is returned and the value of +.Fa *errstr +is filled in as documented in +.Sx DESCRIPTION . +.Sh SEE ALSO +.Xr bsde_get_rule_count 3 , +.Xr bsde_get_rule_slots 3 , +.Xr bsde_parse_rule 3 , +.Xr bsde_parse_rule_string 3 , +.Xr bsde_rule_to_string 3 , +.Xr libugidfw 3 , +.Xr mac_bsdextended 4 , +.Xr ugidfw 8 +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. diff --git a/lib/libugidfw/bsde_get_rule_count.3 b/lib/libugidfw/bsde_get_rule_count.3 new file mode 100644 index 000000000000..2152f6aafbed --- /dev/null +++ b/lib/libugidfw/bsde_get_rule_count.3 @@ -0,0 +1,90 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates +.\" Laboratories, the Security Research Division of Network Associates, +.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part +.\" of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd JANUARY 7, 2003 +.Os +.Dt BSDE_GET_RULE_COUNT 3 +.Sh NAME +.Nm bsde_get_rule_count , +.Nm bsde_get_rule_slots +.Nd file system firewall statistics +.Sh LIBRARY +.Lb libugidfw +.Sh SYNOPSIS +.In ugidfw.h +.Ft int +.Fn bsde_get_rule_count "size_t errlen" "char *errstr" +.Ft int +.Fn bsde_get_rule_slots "size_t errlen" "char *errstr" +.Sh DESCRIPTION +The +.Fn bsde_get_rule_count +and +.Fn bsde_get_rule_slots +return the total number of enforced rules +and the total number of used rule slots, respectively. +If an error occurs, +.Fa *errstr +is filled in with the error string +(up to +.Fa errlen +characters, including the terminating NUL). +.Sh RETURN VALUES +The +.Fn bsde_get_rule_count +and +.Fn bsde_get_rule_slots +functions return +the number of enforced rules and rule slots (respectively) +if successful; +otherwise the value +.Li \&-1 +is returned and the value of +.Fa *errstr +is filled in as documented in +.Sx DESCRIPTION . +.Sh SEE ALSO +.Xr bsde_delete_rule 3 , +.Xr bsde_get_rule 3 , +.Xr bsde_parse_rule 3 , +.Xr bsde_parse_rule_string 3 , +.Xr bsde_rule_to_string 3 , +.Xr bsde_set_rule 3 , +.Xr libugidfw 3 , +.Xr mac_bsdextended 4 , +.Xr ugidfw 8 +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. diff --git a/lib/libugidfw/bsde_parse_rule.3 b/lib/libugidfw/bsde_parse_rule.3 new file mode 100644 index 000000000000..47610bf128d0 --- /dev/null +++ b/lib/libugidfw/bsde_parse_rule.3 @@ -0,0 +1,99 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates +.\" Laboratories, the Security Research Division of Network Associates, +.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part +.\" of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd JANUARY 7, 2003 +.Os +.Dt BSDE_PARSE_RULE 3 +.Sh NAME +.Nm bsde_parse_rule , +.Nm bsde_parse_rule_string +.Nd parse file system firewall rules +.Sh LIBRARY +.Lb libugidfw +.Sh SYNOPSIS +.In ugidfw.h +.Ft int +.Fn bsde_parse_rule "int argc" "char *argv[]" "struct mac_bsdextended_rule *rule" "size_t buflen" "char *errstr" +.Ft int +.Fn bsde_parse_rule_string "const char *string" "struct mac_bsdextended_rule *rule" "size_t buflen" "char *errstr" +.Sh DESCRIPTION +The +.Fn bsde_parse_rule +function parses an argument vector +(e.g. +.Fa argv +as passed to +.Fn main ) +into +.Fa rule . +If an error occurs, +.Fa *errstr +is filled in with the error string +(up to +.Fa errlen +characters, including the terminating NUL). +.Pp +The +.Fn bsde_parse_rule_string +function is identical to +.Fn bsde_parse_rule , +except that it parse a single string, rather than an array of arguments. +.Sh RETURN VALUES +The +.Fn bsde_parse_rule_string +and +.Fn bsde_parse_rule +functions return +.Li 0 +if successful; +otherwise the value +.Li \&-1 +is returned and the value of +.Fa *errstr +is filled in as documented in +.Sx DESCRIPTION . +.Sh SEE ALSO +.Xr bsde_delete_rule 3 , +.Xr bsde_get_rule 3 , +.Xr bsde_get_rule_count 3 , +.Xr bsde_get_rule_slots 3 , +.Xr bsde_rule_to_string 3 , +.Xr bsde_set_rule 3 , +.Xr libugidfw 3 , +.Xr mac_bsdextended 4 , +.Xr ugidfw 8 +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. diff --git a/lib/libugidfw/bsde_rule_to_string.3 b/lib/libugidfw/bsde_rule_to_string.3 new file mode 100644 index 000000000000..e022fd63381b --- /dev/null +++ b/lib/libugidfw/bsde_rule_to_string.3 @@ -0,0 +1,80 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates +.\" Laboratories, the Security Research Division of Network Associates, +.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part +.\" of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd JANUARY 7, 2003 +.Os +.Dt BSDE_RULE_TO_STRING 3 +.Sh NAME +.Nm bsde_rule_to_string +.Nd converts a ugidfw rule into its text representation +.Sh LIBRARY +.Lb libugidfw +.Sh SYNOPSIS +.In ugidfw.h +.Ft int +.Fn bsde_rule_to_string "struct mac_bsdextended_rule *rule" "char *buf" "size_t buflen" +.Sh DESCRIPTION +The +.Fn bsde_rule_to_string +function converts a rule in its internal representation +.Vt ( "struct mac_bsdextended_rule" ) +into its text representation and writes up to +.Fa buflen +bytes of it to +.Fa buf +(including the terminating NUL). +.Sh RETURN VALUES +The +.Fn bsde_rule_to_string +function returns +.Li \&-1 +if the conversion was truncated; +otherwise the value +.Li 0 +is returned. +.Sh SEE ALSO +.Xr bsde_delete_rule 3 , +.Xr bsde_get_rule 3 , +.Xr bsde_get_rule_count 3 , +.Xr bsde_get_rule_slots 3 , +.Xr bsde_parse_rule 3 , +.Xr bsde_parse_rule_string 3 , +.Xr bsde_set_rule 3 , +.Xr libugidfw 3 , +.Xr mac_bsdextended 4 , +.Xr ugidfw 8 +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. diff --git a/lib/libugidfw/libugidfw.3 b/lib/libugidfw/libugidfw.3 new file mode 100644 index 000000000000..36dbc9b6db34 --- /dev/null +++ b/lib/libugidfw/libugidfw.3 @@ -0,0 +1,116 @@ +.\" Copyright (c) 2003 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and Network Associates +.\" Laboratories, the Security Research Division of Network Associates, +.\" Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part +.\" of the DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd JANUARY 5, 2003 +.Os +.Dt LIBUGIDFW 3 +.Sh NAME +.Nm libugidfw +.Nd library interface to the fire system firewall MAC policy +.Sh LIBRARY +.Lb libugidfw +.Sh SYNOPSIS +.In ugidfw.h +.Sh DESCRIPTION +The +.Nm +library routines provide an interface to the +.Xr mac_bsdextended 4 +file system firewall MAC policy. +.Pp +The +.Nm +library defines the following functions: +.Bl -tag -width "bsde_parse_rule_strong" +.It Fn bsde_rule_to_string +Converts the internal representation of a rule +.Vt ( "struct mac_bsdextended_rule" ) +into its text representation; +see +.Xr bsde_rule_to_string 3 . +.It Fn bsde_parse_identity +Parses the identity of a subject or object; +see +.Xr bsde_parse_identity 3 . +.It Fn bsde_parse_mode +Parses the access mode for a ugidfw rule; +see +.Xr bsde_parse_mode 3 . +.It Fn bsde_parse_rule +Parses an entire rule +(in argument array form); +see +.Xr bsde_parse_rule 3 . +.It Fn bsde_parse_rule_string +Parse an entire rule string; +see +.Xr bsde_parse_rule_string 3 . +.It Fn bsde_get_rule_count +Returns the total number of ugidfw rules being enforced in the system; +see +.Xr bsde_get_rule_count 3 . +.It Fn bsde_get_rule_slots +Returns the total number of used rule slots; +see +.Xr bsde_get_rule_slots 3 . +.It Fn bsde_get_rule +Returns a rule by its rule number; +see +.Xr bsde_get_rule 3 . +.It Fn bsde_delete_rule +Deletes a rule by its rule number; +see +.Xr bsde_delete_rule 3 . +.It Fn bsde_set_rule +Uploads the rule to the +.Xr mac_bsdextended 4 +module and applies it; +see +.Xr bsde_set_rule 3 . +.El +.Sh SEE ALSO +.Xr bsde_delete_rule 3 , +.Xr bsde_get_rule 3 , +.Xr bsde_get_rule_count 3 , +.Xr bsde_get_rule_slots 3 , +.Xr bsde_parse_identity 3 , +.Xr bsde_parse_mode 3 , +.Xr bsde_parse_rule 3 , +.Xr bsde_parse_rule_string 3 , +.Xr bsde_rule_to_string 3 , +.Xr bsde_set_rule 3 +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program.