Add filename glob matching to mac_bsdextended
Needs ReviewPublic
Actions

Authored by cracauer on Mon, Mar 30, 4:46 PM.

Details

Reviewers

olce
kevans

Summary

Add filename glob matching to mac_bsdextended, the "firewall for
filesystem operations". You can make statements like this:

ugidfw add subject uid 121 object glob '*.php' mode arx

which forbids user 121 from ever writing to *.php files. To prevent
circumvention of this mechanism this change also prohibits hardlinking
to files matching the glob.

The first half of this work has been sponsored by Klara, Inc.

Testing:

kyua tests added
existing tests still pass
pounding with buildworld with glob in effect

About the size of the diff: the functional change is small. The
globbing library was already present in the kernel. The size of this
diff is dominated by the plumbing required to transport the file name
to the point of decision. Up to this point only a minority of system
calls had access to the file name in mac_bsdextended (they only had
the vnode, not the inode). This can now be used by future
mac_bsdextended modules as well. Additional code deals with
prohibiting hard links to glob-matched files.

Performance:

Globbing in fnmatch is about as slow as a basic system call:

119.0 nsec/call      119.0 user        0.0 sys: fnmatch
127.8 nsec/call       20.2 user      107.7 sys: getrusage
170.9 nsec/call       11.6 user      159.4 sys: read8kdevzero

(benchmark at https://github.com/cracauer/ulmbenchmarks)

make buildworld buildkernel. This is 16-current with INVARIANTS in
bhyve. User 121 is the user doing the build, so globbing fires on
every open(2) and related system calls.

No glob, mac_bsdextended not loaded:
1:40:03 6003.15 real 42400.37 user 2167.79 sys 742% CPU
92101/591849082 faults
1:43:11 6191.07 real 43558.38 user 2526.62 sys 744% CPU
97473/591930723 faults

sudo ugidfw add subject uid 121 object glob '*.php' mode n
1:42:34 6154.16 real 43040.48 user 2626.75 sys 742% CPU
98907/591924022 faults
1:43:06 6186.03 real 43354.18 user 2722.03 sys 744% CPU
93617/591949345 faults

sudo ugidfw add subject uid 121 object glob '*.php' mode arx
1:44:19 6259.64 real 43736.09 user 2805.44 sys 743% CPU
93558/591959709 faults
1:44:40 6280.29 real 43854.63 user 2951.23 sys 745% CPU
97989/591963548 faults

mac_bsdextended just loaded, no rules:
1:44:44 6284.11 real 43868.69 user 2847.66 sys 743% CPU
95020/591975222 faults
1:44:43 6283.07 real 43881.56 user 2808.81 sys 743% CPU
97596/591963208 faults

(it also looks like the VM gets slower over time, but that is a
different topic)