Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ad146809be
NetBSD/sys/kern/kern_auth.c

1173 lines
26 KiB
C
Raw Normal View History

Expose struct kauth_cred for the benefit of the debugger. I can't convince gcc to produce debug info for the structure if it does not appear in more than one source file.
2015-10-07 01:13:39 +03:00
/* $NetBSD: kern_auth.c,v 1.75 2015/10/06 22:13:39 christos Exp $ */
add kauth backend.
2006-05-15 01:12:38 +04:00
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
Remove advertising clause from all of my stuff.
2007-01-09 15:49:36 +03:00
* 3. The name of the author may not be used to endorse or promote products
add kauth backend.
2006-05-15 01:12:38 +04:00
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
2006-09-09 01:57:38 +04:00
#include <sys/cdefs.h>
Expose struct kauth_cred for the benefit of the debugger. I can't convince gcc to produce debug info for the structure if it does not appear in more than one source file.
2015-10-07 01:13:39 +03:00
__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.75 2015/10/06 22:13:39 christos Exp $");
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
2006-09-09 01:57:38 +04:00
Revert the kauth_impl.h change. Elad is going to maintain this. Asked by core@
2007-02-24 23:41:33 +03:00
#include <sys/types.h>
add kauth backend.
2006-05-15 01:12:38 +04:00
#include <sys/param.h>
#include <sys/queue.h>
#include <sys/proc.h>
#include <sys/ucred.h>
#include <sys/pool.h>
Expose struct kauth_cred for the benefit of the debugger. I can't convince gcc to produce debug info for the structure if it does not appear in more than one source file.
2015-10-07 01:13:39 +03:00
#define __KAUTH_PRIVATE
add kauth backend.
2006-05-15 01:12:38 +04:00
#include <sys/kauth.h>
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
#include <sys/kmem.h>
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
#include <sys/rwlock.h>
Tiny cosmetics...
2009-12-31 05:20:36 +03:00
#include <sys/sysctl.h>
Use atomics to adjust the credential reference count.
2007-11-29 20:48:27 +03:00
#include <sys/atomic.h>
Revert the kauth_impl.h change. Elad is going to maintain this. Asked by core@
2007-02-24 23:41:33 +03:00
#include <sys/specificdata.h>
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
#include <sys/vnode.h>
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
Implement the register/deregister/evaluation API for secmodel(9). It allows registration of callbacks that can be used later for cross-secmodel "safe" communication. When a secmodel wishes to know a property maintained by another secmodel, it has to submit a request to it so the other secmodel can proceed to evaluating the request. This is done through the secmodel_eval(9) call; example: bool isroot; error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", cred, &isroot); if (error == 0 && !isroot) result = KAUTH_RESULT_DENY; This one asks the suser module if the credentials are assumed to be root when evaluated by suser module. If the module is present, it will respond. If absent, the call will return an error. Args and command are arbitrarily defined; it's up to the secmodel(9) to document what it expects. Typical example is securelevel testing: when someone wants to know whether securelevel is raised above a certain level or not, the caller has to request this property to the secmodel_securelevel(9) module. Given that securelevel module may be absent from system's context (thus making access to the global "securelevel" variable impossible or unsafe), this API can cope with this absence and return an error. We are using secmodel_eval(9) to implement a secmodel_extensions(9) module, which plugs with the bsd44, suser and securelevel secmodels to provide the logic behind curtain, usermount and user_set_cpu_affinity modes, without adding hooks to traditional secmodels. This solves a real issue with the current secmodel(9) code, as usermount or user_set_cpu_affinity are not really tied to secmodel_suser(9). The secmodel_eval(9) is also used to restrict security.models settings when securelevel is above 0, through the "is-securelevel-above" evaluation: - curtain can be enabled any time, but cannot be disabled if securelevel is above 0. - usermount/user_set_cpu_affinity can be disabled any time, but cannot be enabled if securelevel is above 0. Regarding sysctl(7) entries: curtain and usermount are now found under security.models.extensions tree. The security.curtain and vfs.generic.usermount are still accessible for backwards compat. Documentation is incoming, I am proof-reading my writings. Written by elad@, reviewed and tested (anita test + interact for rights tests) by me. ok elad@. See also http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html XXX might consider va0 mapping too. XXX Having a secmodel(9) specific printf (like aprint_*) for reporting secmodel(9) errors might be a good idea, but I am not sure on how to design such a function right now.
2011-12-04 23:24:58 +04:00
#include <secmodel/secmodel.h>
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
/*
* Secmodel-specific credentials.
*/
struct kauth_key {
Implement the register/deregister/evaluation API for secmodel(9). It allows registration of callbacks that can be used later for cross-secmodel "safe" communication. When a secmodel wishes to know a property maintained by another secmodel, it has to submit a request to it so the other secmodel can proceed to evaluating the request. This is done through the secmodel_eval(9) call; example: bool isroot; error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", cred, &isroot); if (error == 0 && !isroot) result = KAUTH_RESULT_DENY; This one asks the suser module if the credentials are assumed to be root when evaluated by suser module. If the module is present, it will respond. If absent, the call will return an error. Args and command are arbitrarily defined; it's up to the secmodel(9) to document what it expects. Typical example is securelevel testing: when someone wants to know whether securelevel is raised above a certain level or not, the caller has to request this property to the secmodel_securelevel(9) module. Given that securelevel module may be absent from system's context (thus making access to the global "securelevel" variable impossible or unsafe), this API can cope with this absence and return an error. We are using secmodel_eval(9) to implement a secmodel_extensions(9) module, which plugs with the bsd44, suser and securelevel secmodels to provide the logic behind curtain, usermount and user_set_cpu_affinity modes, without adding hooks to traditional secmodels. This solves a real issue with the current secmodel(9) code, as usermount or user_set_cpu_affinity are not really tied to secmodel_suser(9). The secmodel_eval(9) is also used to restrict security.models settings when securelevel is above 0, through the "is-securelevel-above" evaluation: - curtain can be enabled any time, but cannot be disabled if securelevel is above 0. - usermount/user_set_cpu_affinity can be disabled any time, but cannot be enabled if securelevel is above 0. Regarding sysctl(7) entries: curtain and usermount are now found under security.models.extensions tree. The security.curtain and vfs.generic.usermount are still accessible for backwards compat. Documentation is incoming, I am proof-reading my writings. Written by elad@, reviewed and tested (anita test + interact for rights tests) by me. ok elad@. See also http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html XXX might consider va0 mapping too. XXX Having a secmodel(9) specific printf (like aprint_*) for reporting secmodel(9) errors might be a good idea, but I am not sure on how to design such a function right now.
2011-12-04 23:24:58 +04:00
secmodel_t ks_secmodel; /* secmodel */
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
specificdata_key_t ks_key; /* key */
};
add kauth backend.
2006-05-15 01:12:38 +04:00
Revert the kauth_impl.h change. Elad is going to maintain this. Asked by core@
2007-02-24 23:41:33 +03:00
add kauth backend.
2006-05-15 01:12:38 +04:00
/*
* Listener.
*/
struct kauth_listener {
kauth_scope_callback_t func; /* callback */
kauth_scope_t scope; /* scope backpointer */
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
u_int refcnt; /* reference count */
add kauth backend.
2006-05-15 01:12:38 +04:00
SIMPLEQ_ENTRY(kauth_listener) listener_next; /* listener list */
};
/*
* Scope.
*/
struct kauth_scope {
const char *id; /* scope name */
void *cookie; /* user cookie */
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
u_int nlisteners; /* # of listeners */
add kauth backend.
2006-05-15 01:12:38 +04:00
SIMPLEQ_HEAD(, kauth_listener) listenq; /* listener list */
SIMPLEQ_ENTRY(kauth_scope) next_scope; /* scope list */
};
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
static int kauth_cred_hook(kauth_cred_t, kauth_action_t, void *, void *);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* List of scopes and its lock. */
Change some initialization of static queues to compile time. (xxx_INIT to xxx_HEAD_INITIALIZER). Drop code which inits non-auto (global or static) variables to 0 since that's already implied by being non-auto. Init some static/global cpu_simple_locks at compile time.
2007-11-12 02:22:23 +03:00
static SIMPLEQ_HEAD(, kauth_scope) scope_list =
SIMPLEQ_HEAD_INITIALIZER(scope_list);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Built-in scopes: generic, process. */
static kauth_scope_t kauth_builtin_scope_generic;
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
static kauth_scope_t kauth_builtin_scope_system;
add kauth backend.
2006-05-15 01:12:38 +04:00
static kauth_scope_t kauth_builtin_scope_process;
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
static kauth_scope_t kauth_builtin_scope_network;
static kauth_scope_t kauth_builtin_scope_machdep;
Implement the "device" scope. It uses an authorization wrapper per device class on the system to ensure type-safety. For now, it supports only terminal (TTY) devices, and has two actions for them: "open terminal" and "privileged set". Sample usage has been added to i386 and hp300 code for reference. Update documentation.
2006-10-01 00:05:57 +04:00
static kauth_scope_t kauth_builtin_scope_device;
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
static kauth_scope_t kauth_builtin_scope_cred;
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
static kauth_scope_t kauth_builtin_scope_vnode;
add kauth backend.
2006-05-15 01:12:38 +04:00
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
static specificdata_domain_t kauth_domain;
Merge from vmlocking: - pool_cache changes. - Debugger/procfs locking fixes. - Other minor changes.
2007-11-07 03:23:13 +03:00
static pool_cache_t kauth_cred_cache;
Tiny cosmetics...
2009-12-31 05:20:36 +03:00
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
krwlock_t kauth_lock;
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Allocate new, empty kauth credentials. */
kauth_cred_t
KNF. wrap a long line.
2006-05-23 04:43:30 +04:00
kauth_cred_alloc(void)
{
add kauth backend.
2006-05-15 01:12:38 +04:00
kauth_cred_t cred;
Merge from vmlocking: - pool_cache changes. - Debugger/procfs locking fixes. - Other minor changes.
2007-11-07 03:23:13 +03:00
cred = pool_cache_get(kauth_cred_cache, PR_WAITOK);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_refcnt = 1;
Merge from vmlocking: - pool_cache changes. - Debugger/procfs locking fixes. - Other minor changes.
2007-11-07 03:23:13 +03:00
cred->cr_uid = 0;
cred->cr_euid = 0;
cred->cr_svuid = 0;
cred->cr_gid = 0;
cred->cr_egid = 0;
cred->cr_svgid = 0;
cred->cr_ngroups = 0;
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
specificdata_init(kauth_domain, &cred->cr_sd);
kauth_cred_hook(cred, KAUTH_CRED_INIT, NULL, NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred);
}
/* Increment reference count to cred. */
void
kauth_cred_hold(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt > 0);
add kauth backend.
2006-05-15 01:12:38 +04:00
KNF fix. space vs. tab
2012-06-27 14:06:55 +04:00
atomic_inc_uint(&cred->cr_refcnt);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
/* Decrease reference count to cred. If reached zero, free it. */
void
KNF. wrap a long line.
2006-05-23 04:43:30 +04:00
kauth_cred_free(kauth_cred_t cred)
{
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt > 0);
kauth_cred_free: add an assertion.
2009-08-16 15:01:12 +04:00
ASSERT_SLEEPABLE();
add kauth backend.
2006-05-15 01:12:38 +04:00
Fix minor error in previous.
2007-11-29 22:50:28 +03:00
if (atomic_dec_uint_nv(&cred->cr_refcnt) > 0)
Use atomics to adjust the credential reference count.
2007-11-29 20:48:27 +03:00
return;
add kauth backend.
2006-05-15 01:12:38 +04:00
Use atomics to adjust the credential reference count.
2007-11-29 20:48:27 +03:00
kauth_cred_hook(cred, KAUTH_CRED_FREE, NULL, NULL);
specificdata_fini(kauth_domain, &cred->cr_sd);
pool_cache_put(kauth_cred_cache, cred);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
static void
Simplify the interfaces needed for sys_setgroups() and sys_getgroups(). Exposed that the kauth code holds groups in an array, but removes some of the knowledge of the maximum number of groups. Allows the syscall code to copyin/out directly to/from the cred structure, this save a lot of faffing about with malloc/free even when compat code has to use 16bit groups.
2007-06-23 13:02:12 +04:00
kauth_cred_clone1(kauth_cred_t from, kauth_cred_t to, bool copy_groups)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
KASSERT(from != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(from != NOCRED);
KASSERT(from != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(to != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(to != NOCRED);
KASSERT(to != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(from->cr_refcnt > 0);
add kauth backend.
2006-05-15 01:12:38 +04:00
to->cr_uid = from->cr_uid;
to->cr_euid = from->cr_euid;
to->cr_svuid = from->cr_svuid;
to->cr_gid = from->cr_gid;
to->cr_egid = from->cr_egid;
to->cr_svgid = from->cr_svgid;
Simplify the interfaces needed for sys_setgroups() and sys_getgroups(). Exposed that the kauth code holds groups in an array, but removes some of the knowledge of the maximum number of groups. Allows the syscall code to copyin/out directly to/from the cred structure, this save a lot of faffing about with malloc/free even when compat code has to use 16bit groups.
2007-06-23 13:02:12 +04:00
if (copy_groups) {
to->cr_ngroups = from->cr_ngroups;
memcpy(to->cr_groups, from->cr_groups, sizeof(to->cr_groups));
}
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
kauth_cred_hook(from, KAUTH_CRED_COPY, to, NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
void
kauth_cred_clone(kauth_cred_t from, kauth_cred_t to)
{
kauth_cred_clone1(from, to, true);
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/*
* Duplicate cred and return a new kauth_cred_t.
*/
kauth_cred_t
kauth_cred_dup(kauth_cred_t cred)
{
kauth_cred_t new_cred;
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt > 0);
add kauth backend.
2006-05-15 01:12:38 +04:00
new_cred = kauth_cred_alloc();
kauth_cred_clone(cred, new_cred);
return (new_cred);
}
/*
* Similar to crcopy(), only on a kauth_cred_t.
* XXX: Is this even needed? [kauth_cred_copy]
*/
kauth_cred_t
kauth_cred_copy(kauth_cred_t cred)
{
kauth_cred_t new_cred;
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt > 0);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* If the provided credentials already have one reference, use them. */
if (cred->cr_refcnt == 1)
return (cred);
new_cred = kauth_cred_alloc();
kauth_cred_clone(cred, new_cred);
kauth_cred_free(cred);
return (new_cred);
}
Introduce kauth_proc_fork() to control credential inheritance.
2007-01-15 20:45:32 +03:00
void
kauth_proc_fork(struct proc *parent, struct proc *child)
{
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since we no longer need to guard against access from hardware interrupt handlers. Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the child process share the parent's lock so that signal state may be kept in sync. Partially addresses PR kern/37437.
2008-04-24 22:39:20 +04:00
mutex_enter(parent->p_lock);
Introduce kauth_proc_fork() to control credential inheritance.
2007-01-15 20:45:32 +03:00
kauth_cred_hold(parent->p_cred);
child->p_cred = parent->p_cred;
Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since we no longer need to guard against access from hardware interrupt handlers. Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the child process share the parent's lock so that signal state may be kept in sync. Partially addresses PR kern/37437.
2008-04-24 22:39:20 +04:00
mutex_exit(parent->p_lock);
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
/* XXX: relies on parent process stalling during fork() */
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
kauth_cred_hook(parent->p_cred, KAUTH_CRED_FORK, parent,
child);
Introduce kauth_proc_fork() to control credential inheritance.
2007-01-15 20:45:32 +03:00
}
Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential scope. Reviewed and approved by elad@.
2012-06-27 16:28:28 +04:00
void
kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi)
{
kauth_cred_hook(cred, KAUTH_CRED_CHROOT, cwdi, NULL);
}
add kauth backend.
2006-05-15 01:12:38 +04:00
uid_t
kauth_cred_getuid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_uid);
}
uid_t
kauth_cred_geteuid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_euid);
}
uid_t
kauth_cred_getsvuid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_svuid);
}
gid_t
kauth_cred_getgid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_gid);
}
gid_t
kauth_cred_getegid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_egid);
}
gid_t
kauth_cred_getsvgid(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_svgid);
}
void
kauth_cred_setuid(kauth_cred_t cred, uid_t uid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_uid = uid;
}
void
kauth_cred_seteuid(kauth_cred_t cred, uid_t uid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_euid = uid;
}
void
kauth_cred_setsvuid(kauth_cred_t cred, uid_t uid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_svuid = uid;
}
void
kauth_cred_setgid(kauth_cred_t cred, gid_t gid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_gid = gid;
}
void
kauth_cred_setegid(kauth_cred_t cred, gid_t gid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_egid = gid;
}
void
kauth_cred_setsvgid(kauth_cred_t cred, gid_t gid)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_svgid = gid;
}
/* Checks if gid is a member of the groups in cred. */
int
kauth_cred_ismember_gid(kauth_cred_t cred, gid_t gid, int *resultp)
{
fix sign-compare issues
2009-04-05 15:48:02 +04:00
uint32_t i;
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(resultp != NULL);
*resultp = 0;
for (i = 0; i < cred->cr_ngroups; i++)
if (cred->cr_groups[i] == gid) {
*resultp = 1;
break;
}
return (0);
}
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
u_int
add kauth backend.
2006-05-15 01:12:38 +04:00
kauth_cred_ngroups(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_ngroups);
}
/*
* Return the group at index idx from the groups in cred.
*/
gid_t
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
kauth_cred_group(kauth_cred_t cred, u_int idx)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(idx < cred->cr_ngroups);
return (cred->cr_groups[idx]);
}
/* XXX elad: gmuid is unused for now. */
int
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
kauth_cred_setgroups(kauth_cred_t cred, const gid_t *grbuf, size_t len,
use a correct type for UIO_*.
2007-09-23 20:00:08 +04:00
uid_t gmuid, enum uio_seg seg)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
int error = 0;
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
KASSERT(cred->cr_refcnt == 1);
add kauth backend.
2006-05-15 01:12:38 +04:00
Use __arraycount when appropriate
2008-08-15 05:31:02 +04:00
if (len > __arraycount(cred->cr_groups))
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
return EINVAL;
if (len) {
use a correct type for UIO_*.
2007-09-23 20:00:08 +04:00
if (seg == UIO_SYSSPACE) {
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
memcpy(cred->cr_groups, grbuf,
len * sizeof(cred->cr_groups[0]));
use a correct type for UIO_*.
2007-09-23 20:00:08 +04:00
} else {
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
error = copyin(grbuf, cred->cr_groups,
len * sizeof(cred->cr_groups[0]));
if (error != 0)
len = 0;
}
}
add kauth backend.
2006-05-15 01:12:38 +04:00
memset(cred->cr_groups + len, 0xff,
sizeof(cred->cr_groups) - (len * sizeof(cred->cr_groups[0])));
cred->cr_ngroups = len;
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
return error;
Simplify the interfaces needed for sys_setgroups() and sys_getgroups(). Exposed that the kauth code holds groups in an array, but removes some of the knowledge of the maximum number of groups. Allows the syscall code to copyin/out directly to/from the cred structure, this save a lot of faffing about with malloc/free even when compat code has to use 16bit groups.
2007-06-23 13:02:12 +04:00
}
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
/* This supports sys_setgroups() */
Simplify the interfaces needed for sys_setgroups() and sys_getgroups(). Exposed that the kauth code holds groups in an array, but removes some of the knowledge of the maximum number of groups. Allows the syscall code to copyin/out directly to/from the cred structure, this save a lot of faffing about with malloc/free even when compat code has to use 16bit groups.
2007-06-23 13:02:12 +04:00
int
kauth_proc_setgroups(struct lwp *l, kauth_cred_t ncred)
{
kauth_cred_t cred;
int error;
/*
* At this point we could delete duplicate groups from ncred,
* and plausibly sort the list - but in general the later is
* a bad idea.
*/
proc_crmod_enter();
/* Maybe we should use curproc here ? */
cred = l->l_proc->p_cred;
kauth_cred_clone1(cred, ncred, false);
error = kauth_authorize_process(cred, KAUTH_PROCESS_SETID,
l->l_proc, NULL, NULL, NULL);
if (error != 0) {
proc_crmod_leave(cred, ncred, false);
return error;
}
/* Broadcast our credentials to the process and other LWPs. */
proc_crmod_leave(ncred, cred, true);
return 0;
}
add kauth backend.
2006-05-15 01:12:38 +04:00
int
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
kauth_cred_getgroups(kauth_cred_t cred, gid_t *grbuf, size_t len,
use a correct type for UIO_*.
2007-09-23 20:00:08 +04:00
enum uio_seg seg)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
KASSERT(cred != NULL);
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
if (len > cred->cr_ngroups)
return EINVAL;
add kauth backend.
2006-05-15 01:12:38 +04:00
use a correct type for UIO_*.
2007-09-23 20:00:08 +04:00
if (seg == UIO_USERSPACE)
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
return copyout(cred->cr_groups, grbuf, sizeof(*grbuf) * len);
memcpy(grbuf, cred->cr_groups, sizeof(*grbuf) * len);
add kauth backend.
2006-05-15 01:12:38 +04:00
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
return 0;
Simplify the interfaces needed for sys_setgroups() and sys_getgroups(). Exposed that the kauth code holds groups in an array, but removes some of the knowledge of the maximum number of groups. Allows the syscall code to copyin/out directly to/from the cred structure, this save a lot of faffing about with malloc/free even when compat code has to use 16bit groups.
2007-06-23 13:02:12 +04:00
}
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
int
Implement the register/deregister/evaluation API for secmodel(9). It allows registration of callbacks that can be used later for cross-secmodel "safe" communication. When a secmodel wishes to know a property maintained by another secmodel, it has to submit a request to it so the other secmodel can proceed to evaluating the request. This is done through the secmodel_eval(9) call; example: bool isroot; error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", cred, &isroot); if (error == 0 && !isroot) result = KAUTH_RESULT_DENY; This one asks the suser module if the credentials are assumed to be root when evaluated by suser module. If the module is present, it will respond. If absent, the call will return an error. Args and command are arbitrarily defined; it's up to the secmodel(9) to document what it expects. Typical example is securelevel testing: when someone wants to know whether securelevel is raised above a certain level or not, the caller has to request this property to the secmodel_securelevel(9) module. Given that securelevel module may be absent from system's context (thus making access to the global "securelevel" variable impossible or unsafe), this API can cope with this absence and return an error. We are using secmodel_eval(9) to implement a secmodel_extensions(9) module, which plugs with the bsd44, suser and securelevel secmodels to provide the logic behind curtain, usermount and user_set_cpu_affinity modes, without adding hooks to traditional secmodels. This solves a real issue with the current secmodel(9) code, as usermount or user_set_cpu_affinity are not really tied to secmodel_suser(9). The secmodel_eval(9) is also used to restrict security.models settings when securelevel is above 0, through the "is-securelevel-above" evaluation: - curtain can be enabled any time, but cannot be disabled if securelevel is above 0. - usermount/user_set_cpu_affinity can be disabled any time, but cannot be enabled if securelevel is above 0. Regarding sysctl(7) entries: curtain and usermount are now found under security.models.extensions tree. The security.curtain and vfs.generic.usermount are still accessible for backwards compat. Documentation is incoming, I am proof-reading my writings. Written by elad@, reviewed and tested (anita test + interact for rights tests) by me. ok elad@. See also http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html XXX might consider va0 mapping too. XXX Having a secmodel(9) specific printf (like aprint_*) for reporting secmodel(9) errors might be a good idea, but I am not sure on how to design such a function right now.
2011-12-04 23:24:58 +04:00
kauth_register_key(secmodel_t secmodel, kauth_key_t *result)
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
{
kauth_key_t k;
specificdata_key_t key;
int error;
KASSERT(result != NULL);
error = specificdata_key_create(kauth_domain, &key, NULL);
if (error)
return (error);
k = kmem_alloc(sizeof(*k), KM_SLEEP);
k->ks_secmodel = secmodel;
k->ks_key = key;
*result = k;
return (0);
}
int
kauth_deregister_key(kauth_key_t key)
{
KASSERT(key != NULL);
specificdata_key_delete(kauth_domain, key->ks_key);
kmem_free(key, sizeof(*key));
return (0);
}
void *
kauth_cred_getdata(kauth_cred_t cred, kauth_key_t key)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
KASSERT(key != NULL);
return (specificdata_getspecific(kauth_domain, &cred->cr_sd,
key->ks_key));
}
void
kauth_cred_setdata(kauth_cred_t cred, kauth_key_t key, void *data)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
KASSERT(key != NULL);
specificdata_setspecific(kauth_domain, &cred->cr_sd, key->ks_key, data);
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/*
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
* Match uids in two credentials.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
int
add kauth backend.
2006-05-15 01:12:38 +04:00
kauth_cred_uidmatch(kauth_cred_t cred1, kauth_cred_t cred2)
{
KASSERT(cred1 != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred1 != NOCRED);
KASSERT(cred1 != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(cred2 != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred2 != NOCRED);
KASSERT(cred2 != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
if (cred1->cr_uid == cred2->cr_uid ||
cred1->cr_euid == cred2->cr_uid ||
cred1->cr_uid == cred2->cr_euid ||
cred1->cr_euid == cred2->cr_euid)
return (1);
return (0);
}
- Only acquire cr_lock when changing cr_refcnt. - When freeing, test the value of cr_refcnt from inside the lock perimiter. - Change some uint16_t/uint32_t types to u_int. - KASSERT(cr_refcnt > 0) in appropriate places. - KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 18:37:20 +04:00
u_int
add kauth backend.
2006-05-15 01:12:38 +04:00
kauth_cred_getrefcnt(kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (cred->cr_refcnt);
}
/*
* Convert userland credentials (struct uucred) to kauth_cred_t.
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
* XXX: For NFS & puffs
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
void
kauth_uucred_to_cred(kauth_cred_t cred, const struct uucred *uuc)
{
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(uuc != NULL);
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
add kauth backend.
2006-05-15 01:12:38 +04:00
cred->cr_refcnt = 1;
cred->cr_uid = uuc->cr_uid;
cred->cr_euid = uuc->cr_uid;
cred->cr_svuid = uuc->cr_uid;
cred->cr_gid = uuc->cr_gid;
cred->cr_egid = uuc->cr_gid;
cred->cr_svgid = uuc->cr_gid;
cred->cr_ngroups = min(uuc->cr_ngroups, NGROUPS);
kauth_cred_setgroups(cred, __UNCONST(uuc->cr_groups),
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
cred->cr_ngroups, -1, UIO_SYSSPACE);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
/*
* Convert kauth_cred_t to userland credentials (struct uucred).
* XXX: For NFS & puffs
*/
void
kauth_cred_to_uucred(struct uucred *uuc, const kauth_cred_t cred)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
KASSERT(uuc != NULL);
int ng;
ng = min(cred->cr_ngroups, NGROUPS);
uuc->cr_uid = cred->cr_euid;
uuc->cr_gid = cred->cr_egid;
uuc->cr_ngroups = ng;
Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups can copy directly to/from userspace. Avoids exposing the implementation of the group list as an array to code outside kern_auth.c. compat code and man page need updating.
2007-06-30 17:32:14 +04:00
kauth_cred_getgroups(cred, uuc->cr_groups, ng, UIO_SYSSPACE);
kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred() per tech-kern proposal
2006-10-22 17:07:15 +04:00
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/*
* Compare kauth_cred_t and uucred credentials.
* XXX: Modelled after crcmp() for NFS.
*/
int
kauth_cred_uucmp(kauth_cred_t cred, const struct uucred *uuc)
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(uuc != NULL);
if (cred->cr_euid == uuc->cr_uid &&
cred->cr_egid == uuc->cr_gid &&
fix sign-compare issues
2009-04-05 15:48:02 +04:00
cred->cr_ngroups == (uint32_t)uuc->cr_ngroups) {
add kauth backend.
2006-05-15 01:12:38 +04:00
int i;
/* Check if all groups from uuc appear in cred. */
for (i = 0; i < uuc->cr_ngroups; i++) {
int ismember;
ismember = 0;
if (kauth_cred_ismember_gid(cred, uuc->cr_groups[i],
&ismember) != 0 || !ismember)
kauth_cred_uucmp: fix inversed return code. PR/33546 from Juan RP.
2006-05-25 03:00:49 +04:00
return (1);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
kauth_cred_uucmp: fix inversed return code. PR/33546 from Juan RP.
2006-05-25 03:00:49 +04:00
return (0);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
kauth_cred_uucmp: fix inversed return code. PR/33546 from Juan RP.
2006-05-25 03:00:49 +04:00
return (1);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
/*
- Don't cast kauth_cred_t to (struct ucred *), just set pc_ucred = NULL. - Fill ucred::cr_ref.
2006-07-17 18:47:02 +04:00
* Make a struct ucred out of a kauth_cred_t. For compatibility.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
void
The pre-kauth 'struct ucread' and 'struct pcred' are now only used in the (depracted some time ago) 'struct kinfo_proc' returned by sysctl. Move the definitions to sys/syctl.h and rename in order to ensure all the users are located.
2007-02-18 18:20:34 +03:00
kauth_cred_toucred(kauth_cred_t cred, struct ki_ucred *uc)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(uc != NULL);
- Don't cast kauth_cred_t to (struct ucred *), just set pc_ucred = NULL. - Fill ucred::cr_ref.
2006-07-17 18:47:02 +04:00
uc->cr_ref = cred->cr_refcnt;
add kauth backend.
2006-05-15 01:12:38 +04:00
uc->cr_uid = cred->cr_euid;
uc->cr_gid = cred->cr_egid;
Use __arraycount when appropriate
2008-08-15 05:31:02 +04:00
uc->cr_ngroups = min(cred->cr_ngroups, __arraycount(uc->cr_groups));
add kauth backend.
2006-05-15 01:12:38 +04:00
memcpy(uc->cr_groups, cred->cr_groups,
uc->cr_ngroups * sizeof(uc->cr_groups[0]));
}
/*
- Don't cast kauth_cred_t to (struct ucred *), just set pc_ucred = NULL. - Fill ucred::cr_ref.
2006-07-17 18:47:02 +04:00
* Make a struct pcred out of a kauth_cred_t. For compatibility.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
void
The pre-kauth 'struct ucread' and 'struct pcred' are now only used in the (depracted some time ago) 'struct kinfo_proc' returned by sysctl. Move the definitions to sys/syctl.h and rename in order to ensure all the users are located.
2007-02-18 18:20:34 +03:00
kauth_cred_topcred(kauth_cred_t cred, struct ki_pcred *pc)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
KASSERT(cred != NULL);
KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
2015-08-08 10:53:51 +03:00
KASSERT(cred != NOCRED);
KASSERT(cred != FSCRED);
add kauth backend.
2006-05-15 01:12:38 +04:00
KASSERT(pc != NULL);
The pre-kauth 'struct ucread' and 'struct pcred' are now only used in the (depracted some time ago) 'struct kinfo_proc' returned by sysctl. Move the definitions to sys/syctl.h and rename in order to ensure all the users are located.
2007-02-18 18:20:34 +03:00
pc->p_pad = NULL;
add kauth backend.
2006-05-15 01:12:38 +04:00
pc->p_ruid = cred->cr_uid;
pc->p_svuid = cred->cr_svuid;
pc->p_rgid = cred->cr_gid;
pc->p_svgid = cred->cr_svgid;
pc->p_refcnt = cred->cr_refcnt;
}
/*
Use the LWP cached credentials where sane.
2006-07-24 02:06:03 +04:00
* Return kauth_cred_t for the current LWP.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
kauth_cred_t
kauth_cred_get(void)
{
Use the LWP cached credentials where sane.
2006-07-24 02:06:03 +04:00
return (curlwp->l_cred);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
/*
* Returns a scope matching the provided id.
* Requires the scope list lock to be held by the caller.
*/
static kauth_scope_t
KNF. wrap a long line.
2006-05-23 04:43:30 +04:00
kauth_ifindscope(const char *id)
{
add kauth backend.
2006-05-15 01:12:38 +04:00
kauth_scope_t scope;
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
KASSERT(rw_lock_held(&kauth_lock));
add kauth backend.
2006-05-15 01:12:38 +04:00
scope = NULL;
SIMPLEQ_FOREACH(scope, &scope_list, next_scope) {
if (strcmp(scope->id, id) == 0)
break;
}
return (scope);
}
/*
* Register a new scope.
*
* id - identifier for the scope
* callback - the scope's default listener
* cookie - cookie to be passed to the listener(s)
*/
kauth_scope_t
kauth_register_scope(const char *id, kauth_scope_callback_t callback,
Pretending to be Elad's keyboard: Attached diff let's call kauth_register_scope() with a NULL default listener. from tn2127: "callback is the address of the listener callback function for this scope; this becomes the scope's default listener. This parameter may be NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is assumed."
2006-08-16 21:57:26 +04:00
void *cookie)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
kauth_scope_t scope;
kauth_register_scope: don't leak a listener when no default listener is specified.
2006-09-14 15:37:07 +04:00
kauth_listener_t listener = NULL; /* XXX gcc */
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Sanitize input */
Pretending to be Elad's keyboard: Attached diff let's call kauth_register_scope() with a NULL default listener. from tn2127: "callback is the address of the listener callback function for this scope; this becomes the scope's default listener. This parameter may be NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is assumed."
2006-08-16 21:57:26 +04:00
if (id == NULL)
add kauth backend.
2006-05-15 01:12:38 +04:00
return (NULL);
/* Allocate space for a new scope and listener. */
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
scope = kmem_alloc(sizeof(*scope), KM_SLEEP);
if (scope == NULL)
return NULL;
kauth_register_scope: don't leak a listener when no default listener is specified.
2006-09-14 15:37:07 +04:00
if (callback != NULL) {
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
listener = kmem_alloc(sizeof(*listener), KM_SLEEP);
if (listener == NULL) {
kmem_free(scope, sizeof(*scope));
return (NULL);
}
kauth_register_scope: don't leak a listener when no default listener is specified.
2006-09-14 15:37:07 +04:00
}
add kauth backend.
2006-05-15 01:12:38 +04:00
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
/*
* Acquire scope list lock.
*/
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_enter(&kauth_lock, RW_WRITER);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Check we don't already have a scope with the same id */
if (kauth_ifindscope(id) != NULL) {
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_exit(&kauth_lock);
add kauth backend.
2006-05-15 01:12:38 +04:00
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
kmem_free(scope, sizeof(*scope));
if (callback != NULL)
kmem_free(listener, sizeof(*listener));
add kauth backend.
2006-05-15 01:12:38 +04:00
return (NULL);
}
/* Initialize new scope with parameters */
scope->id = id;
scope->cookie = cookie;
scope->nlisteners = 1;
SIMPLEQ_INIT(&scope->listenq);
Pretending to be Elad's keyboard: Attached diff let's call kauth_register_scope() with a NULL default listener. from tn2127: "callback is the address of the listener callback function for this scope; this becomes the scope's default listener. This parameter may be NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is assumed."
2006-08-16 21:57:26 +04:00
/* Add default listener */
if (callback != NULL) {
listener->func = callback;
listener->scope = scope;
listener->refcnt = 0;
SIMPLEQ_INSERT_HEAD(&scope->listenq, listener, listener_next);
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Insert scope to scopes list */
Pretending to be Elad's keyboard: Attached diff let's call kauth_register_scope() with a NULL default listener. from tn2127: "callback is the address of the listener callback function for this scope; this becomes the scope's default listener. This parameter may be NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is assumed."
2006-08-16 21:57:26 +04:00
SIMPLEQ_INSERT_TAIL(&scope_list, scope, next_scope);
add kauth backend.
2006-05-15 01:12:38 +04:00
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_exit(&kauth_lock);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (scope);
}
/*
* Initialize the kernel authorization subsystem.
*
* Initialize the scopes list lock.
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
* Create specificdata domain.
* Register the credentials scope, used in kauth(9) internally.
* Register built-in scopes: generic, system, process, network, machdep, device.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
void
kauth_init(void)
{
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_init(&kauth_lock);
add kauth backend.
2006-05-15 01:12:38 +04:00
Merge from vmlocking: - pool_cache changes. - Debugger/procfs locking fixes. - Other minor changes.
2007-11-07 03:23:13 +03:00
kauth_cred_cache = pool_cache_init(sizeof(struct kauth_cred),
Replace use of CACHE_LINE_SIZE in some obvious places.
2008-03-27 21:30:15 +03:00
coherency_unit, 0, 0, "kcredpl", NULL, IPL_NONE,
Use atomics to adjust the credential reference count.
2007-11-29 20:48:27 +03:00
NULL, NULL, NULL);
Merge from vmlocking: - pool_cache changes. - Debugger/procfs locking fixes. - Other minor changes.
2007-11-07 03:23:13 +03:00
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
/* Create specificdata domain. */
kauth_domain = specificdata_domain_create();
/* Register credentials scope. */
kauth_builtin_scope_cred =
kauth_register_scope(KAUTH_SCOPE_CRED, NULL, NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Register generic scope. */
kauth_builtin_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC,
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
NULL, NULL);
/* Register system scope. */
kauth_builtin_scope_system = kauth_register_scope(KAUTH_SCOPE_SYSTEM,
NULL, NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Register process scope. */
kauth_builtin_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS,
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
NULL, NULL);
/* Register network scope. */
kauth_builtin_scope_network = kauth_register_scope(KAUTH_SCOPE_NETWORK,
NULL, NULL);
/* Register machdep scope. */
kauth_builtin_scope_machdep = kauth_register_scope(KAUTH_SCOPE_MACHDEP,
NULL, NULL);
Implement the "device" scope. It uses an authorization wrapper per device class on the system to ensure type-safety. For now, it supports only terminal (TTY) devices, and has two actions for them: "open terminal" and "privileged set". Sample usage has been added to i386 and hp300 code for reference. Update documentation.
2006-10-01 00:05:57 +04:00
/* Register device scope. */
kauth_builtin_scope_device = kauth_register_scope(KAUTH_SCOPE_DEVICE,
NULL, NULL);
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
/* Register vnode scope. */
kauth_builtin_scope_vnode = kauth_register_scope(KAUTH_SCOPE_VNODE,
NULL, NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
}
/*
* Deregister a scope.
* Requires scope list lock to be held by the caller.
*
* scope - the scope to deregister
*/
void
kauth_deregister_scope(kauth_scope_t scope)
{
if (scope != NULL) {
/* Remove scope from list */
SIMPLEQ_REMOVE(&scope_list, scope, kauth_scope, next_scope);
Make kauth_deregister_scope() and kauth_unlisten_scope() free the passed kauth_scope_t and kauth_listener_t objects, respectively. Okay yamt@.
2007-01-02 02:33:03 +03:00
kmem_free(scope, sizeof(*scope));
add kauth backend.
2006-05-15 01:12:38 +04:00
}
}
/*
* Register a listener.
*
* id - scope identifier.
* callback - the callback routine for the listener.
* cookie - cookie to pass unmoidfied to the callback.
*/
kauth_listener_t
kauth_listen_scope(const char *id, kauth_scope_callback_t callback,
remove some __unused from function parameters.
2006-11-01 13:17:58 +03:00
void *cookie)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
kauth_scope_t scope;
kauth_listener_t listener;
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
listener = kmem_alloc(sizeof(*listener), KM_SLEEP);
if (listener == NULL)
return (NULL);
rw_enter(&kauth_lock, RW_WRITER);
Allocate space for scopes and listeners with kmem. Ok elad@.
2006-12-23 11:38:00 +03:00
/*
* Find scope struct.
*/
add kauth backend.
2006-05-15 01:12:38 +04:00
scope = kauth_ifindscope(id);
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
if (scope == NULL) {
rw_exit(&kauth_lock);
kmem_free(listener, sizeof(*listener));
add kauth backend.
2006-05-15 01:12:38 +04:00
return (NULL);
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/* Allocate listener */
/* Initialize listener with parameters */
listener->func = callback;
listener->refcnt = 0;
/* Add listener to scope */
SIMPLEQ_INSERT_TAIL(&scope->listenq, listener, listener_next);
/* Raise number of listeners on scope. */
scope->nlisteners++;
listener->scope = scope;
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_exit(&kauth_lock);
add kauth backend.
2006-05-15 01:12:38 +04:00
return (listener);
}
/*
* Deregister a listener.
*
* listener - listener reference as returned from kauth_listen_scope().
*/
void
kauth_unlisten_scope(kauth_listener_t listener)
{
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
add kauth backend.
2006-05-15 01:12:38 +04:00
if (listener != NULL) {
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_enter(&kauth_lock, RW_WRITER);
KNF. wrap a long line.
2006-05-23 04:43:30 +04:00
SIMPLEQ_REMOVE(&listener->scope->listenq, listener,
kauth_listener, listener_next);
add kauth backend.
2006-05-15 01:12:38 +04:00
listener->scope->nlisteners--;
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
rw_exit(&kauth_lock);
Make kauth_deregister_scope() and kauth_unlisten_scope() free the passed kauth_scope_t and kauth_listener_t objects, respectively. Okay yamt@.
2007-01-02 02:33:03 +03:00
kmem_free(listener, sizeof(*listener));
add kauth backend.
2006-05-15 01:12:38 +04:00
}
}
/*
* Authorize a request.
*
* scope - the scope of the request as defined by KAUTH_SCOPE_* or as
* returned from kauth_register_scope().
* credential - credentials of the user ("actor") making the request.
* action - request identifier.
* arg[0-3] - passed unmodified to listener(s).
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
*
* Returns the aggregated result:
* - KAUTH_RESULT_ALLOW if there is at least one KAUTH_RESULT_ALLOW and
* zero KAUTH_DESULT_DENY
* - KAUTH_RESULT_DENY if there is at least one KAUTH_RESULT_DENY
* - KAUTH_RESULT_DEFER if there is nothing but KAUTH_RESULT_DEFER
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
static int
kauth_authorize_action_internal(kauth_scope_t scope, kauth_cred_t cred,
kauth_action_t action, void *arg0, void *arg1, void *arg2, void *arg3)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
kauth_listener_t listener;
int error, allow, fail;
Move the kauth_init() call above auto-configuration; this will fix some recent bugs introduced with the usage of kauth(9) in MD/device code. While here, change the sanity checks to KASSERT(), because they're really bugs we should fix if triggered.
2006-10-02 20:29:57 +04:00
KASSERT(cred != NULL);
KASSERT(action != 0);
add kauth backend.
2006-05-15 01:12:38 +04:00
From Elad: Attached diff short-circuits kauth_authorize_action() if the request comes from the kernel (NOCRED or FSCRED). okay matt@
2006-08-20 19:05:14 +04:00
/* Short-circuit requests coming from the kernel. */
if (cred == NOCRED || cred == FSCRED)
PR/46973: Dr. Wolfgang Stukenbrock: kauth_authorize_action_internal() returns non-macro value as it should do
2012-09-16 18:35:26 +04:00
return KAUTH_RESULT_ALLOW;
From Elad: Attached diff short-circuits kauth_authorize_action() if the request comes from the kernel (NOCRED or FSCRED). okay matt@
2006-08-20 19:05:14 +04:00
Move the kauth_init() call above auto-configuration; this will fix some recent bugs introduced with the usage of kauth(9) in MD/device code. While here, change the sanity checks to KASSERT(), because they're really bugs we should fix if triggered.
2006-10-02 20:29:57 +04:00
KASSERT(scope != NULL);
add kauth backend.
2006-05-15 01:12:38 +04:00
fail = 0;
allow = 0;
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
/* rw_enter(&kauth_lock, RW_READER); XXX not yet */
add kauth backend.
2006-05-15 01:12:38 +04:00
SIMPLEQ_FOREACH(listener, &scope->listenq, listener_next) {
error = listener->func(cred, action, scope->cookie, arg0,
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
arg1, arg2, arg3);
add kauth backend.
2006-05-15 01:12:38 +04:00
if (error == KAUTH_RESULT_ALLOW)
allow = 1;
else if (error == KAUTH_RESULT_DENY)
fail = 1;
}
Merge newlock2 to head.
2007-02-10 00:55:00 +03:00
/* rw_exit(&kauth_lock); */
add kauth backend.
2006-05-15 01:12:38 +04:00
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
if (fail)
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
return (KAUTH_RESULT_DENY);
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
if (allow)
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
return (KAUTH_RESULT_ALLOW);
return (KAUTH_RESULT_DEFER);
};
int
kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
kauth_action_t action, void *arg0, void *arg1, void *arg2, void *arg3)
{
int r;
r = kauth_authorize_action_internal(scope, cred, action, arg0, arg1,
arg2, arg3);
if (r == KAUTH_RESULT_DENY)
return (EPERM);
if (r == KAUTH_RESULT_ALLOW)
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
return (0);
Implement the register/deregister/evaluation API for secmodel(9). It allows registration of callbacks that can be used later for cross-secmodel "safe" communication. When a secmodel wishes to know a property maintained by another secmodel, it has to submit a request to it so the other secmodel can proceed to evaluating the request. This is done through the secmodel_eval(9) call; example: bool isroot; error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", cred, &isroot); if (error == 0 && !isroot) result = KAUTH_RESULT_DENY; This one asks the suser module if the credentials are assumed to be root when evaluated by suser module. If the module is present, it will respond. If absent, the call will return an error. Args and command are arbitrarily defined; it's up to the secmodel(9) to document what it expects. Typical example is securelevel testing: when someone wants to know whether securelevel is raised above a certain level or not, the caller has to request this property to the secmodel_securelevel(9) module. Given that securelevel module may be absent from system's context (thus making access to the global "securelevel" variable impossible or unsafe), this API can cope with this absence and return an error. We are using secmodel_eval(9) to implement a secmodel_extensions(9) module, which plugs with the bsd44, suser and securelevel secmodels to provide the logic behind curtain, usermount and user_set_cpu_affinity modes, without adding hooks to traditional secmodels. This solves a real issue with the current secmodel(9) code, as usermount or user_set_cpu_affinity are not really tied to secmodel_suser(9). The secmodel_eval(9) is also used to restrict security.models settings when securelevel is above 0, through the "is-securelevel-above" evaluation: - curtain can be enabled any time, but cannot be disabled if securelevel is above 0. - usermount/user_set_cpu_affinity can be disabled any time, but cannot be enabled if securelevel is above 0. Regarding sysctl(7) entries: curtain and usermount are now found under security.models.extensions tree. The security.curtain and vfs.generic.usermount are still accessible for backwards compat. Documentation is incoming, I am proof-reading my writings. Written by elad@, reviewed and tested (anita test + interact for rights tests) by me. ok elad@. See also http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html XXX might consider va0 mapping too. XXX Having a secmodel(9) specific printf (like aprint_*) for reporting secmodel(9) errors might be a good idea, but I am not sure on how to design such a function right now.
2011-12-04 23:24:58 +04:00
if (secmodel_nsecmodels() == 0)
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
return (0);
return (EPERM);
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
}
add kauth backend.
2006-05-15 01:12:38 +04:00
/*
* Generic scope authorization wrapper.
*/
int
kauth_authorize_generic(kauth_cred_t cred, kauth_action_t action, void *arg0)
{
return (kauth_authorize_action(kauth_builtin_scope_generic, cred,
action, arg0, NULL, NULL, NULL));
}
/*
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
* System scope authorization wrapper.
add kauth backend.
2006-05-15 01:12:38 +04:00
*/
int
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
kauth_authorize_system(kauth_cred_t cred, kauth_action_t action,
enum kauth_system_req req, void *arg1, void *arg2, void *arg3)
add kauth backend.
2006-05-15 01:12:38 +04:00
{
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
return (kauth_authorize_action(kauth_builtin_scope_system, cred,
action, (void *)req, arg1, arg2, arg3));
add kauth backend.
2006-05-15 01:12:38 +04:00
}
/*
* Process scope authorization wrapper.
*/
int
kauth_authorize_process(kauth_cred_t cred, kauth_action_t action,
struct proc *p, void *arg1, void *arg2, void *arg3)
{
return (kauth_authorize_action(kauth_builtin_scope_process, cred,
action, p, arg1, arg2, arg3));
}
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
/*
* Network scope authorization wrapper.
*/
int
kauth_authorize_network(kauth_cred_t cred, kauth_action_t action,
Remove ugly (void *) casts from network scope authorization wrapper and calls to it. While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run). Update documentation.
2006-09-20 01:42:29 +04:00
enum kauth_network_req req, void *arg1, void *arg2, void *arg3)
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
{
return (kauth_authorize_action(kauth_builtin_scope_network, cred,
Remove ugly (void *) casts from network scope authorization wrapper and calls to it. While here, adapt code for system scope listeners to avoid some more casts (forgotten in previous run). Update documentation.
2006-09-20 01:42:29 +04:00
action, (void *)req, arg1, arg2, arg3));
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
}
int
kauth_authorize_machdep(kauth_cred_t cred, kauth_action_t action,
Make machdep scope architecture-agnostic by removing all arch-specific requests and centralizing them all. The result is that some of these are not used on some architectures, but the documentation was updated to reflect that.
2006-12-26 13:43:43 +03:00
void *arg0, void *arg1, void *arg2, void *arg3)
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
{
return (kauth_authorize_action(kauth_builtin_scope_machdep, cred,
Make machdep scope architecture-agnostic by removing all arch-specific requests and centralizing them all. The result is that some of these are not used on some architectures, but the documentation was updated to reflect that.
2006-12-26 13:43:43 +03:00
action, arg0, arg1, arg2, arg3));
First take at security model abstraction. - Add a few scopes to the kernel: system, network, and machdep. - Add a few more actions/sub-actions (requests), and start using them as opposed to the KAUTH_GENERIC_ISSUSER place-holders. - Introduce a basic set of listeners that implement our "traditional" security model, called "bsd44". This is the default (and only) model we have at the moment. - Update all relevant documentation. - Add some code and docs to help folks who want to actually use this stuff: * There's a sample overlay model, sitting on-top of "bsd44", for fast experimenting with tweaking just a subset of an existing model. This is pretty cool because it's *really* straightforward to do stuff you had to use ugly hacks for until now... * And of course, documentation describing how to do the above for quick reference, including code samples. All of these changes were tested for regressions using a Python-based testsuite that will be (I hope) available soon via pkgsrc. Information about the tests, and how to write new ones, can be found on: http://kauth.linbsd.org/kauthwiki NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the following: - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request, - Checks 'securelevel' directly, - Checks a uid/gid directly. (or if you feel you have to, contact me first) This is still work in progress; It's far from being done, but now it'll be a lot easier. Relevant mailing list threads: http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help stablizing kauth(9). Full credit for the regression tests, making sure these changes didn't break anything, goes to Matt Fleming and Jaime Fournier. Happy birthday Randi! :)
2006-09-09 00:58:56 +04:00
}
Implement the "device" scope. It uses an authorization wrapper per device class on the system to ensure type-safety. For now, it supports only terminal (TTY) devices, and has two actions for them: "open terminal" and "privileged set". Sample usage has been added to i386 and hp300 code for reference. Update documentation.
2006-10-01 00:05:57 +04:00
Provide a standard authorization wrapper for the device scope.
2006-11-19 03:11:29 +03:00
int
kauth_authorize_device(kauth_cred_t cred, kauth_action_t action,
void *arg0, void *arg1, void *arg2, void *arg3)
{
return (kauth_authorize_action(kauth_builtin_scope_device, cred,
action, arg0, arg1, arg2, arg3));
}
Implement the "device" scope. It uses an authorization wrapper per device class on the system to ensure type-safety. For now, it supports only terminal (TTY) devices, and has two actions for them: "open terminal" and "privileged set". Sample usage has been added to i386 and hp300 code for reference. Update documentation.
2006-10-01 00:05:57 +04:00
int
kauth_authorize_device_tty(kauth_cred_t cred, kauth_action_t action,
struct tty *tty)
{
return (kauth_authorize_action(kauth_builtin_scope_device, cred,
action, tty, NULL, NULL, NULL));
}
Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU. Expose iskmemdev() through sys/conf.h. okay yamt@
2006-11-04 12:30:00 +03:00
int
kauth_authorize_device_spec(kauth_cred_t cred, enum kauth_device_req req,
struct vnode *vp)
{
return (kauth_authorize_action(kauth_builtin_scope_device, cred,
KAUTH_DEVICE_RAWIO_SPEC, (void *)req, vp, NULL, NULL));
}
int
Change kauth(9) KPI for kauth_authorize_device_passthru() to add another argument, u_long, serving as a bit-mask of generic requests for the passthru request. Discussed on tech-security@ and tech-kern@. Okay tls@.
2006-12-02 06:10:42 +03:00
kauth_authorize_device_passthru(kauth_cred_t cred, dev_t dev, u_long bits,
void *data)
Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU. Expose iskmemdev() through sys/conf.h. okay yamt@
2006-11-04 12:30:00 +03:00
{
return (kauth_authorize_action(kauth_builtin_scope_device, cred,
Change kauth(9) KPI for kauth_authorize_device_passthru() to add another argument, u_long, serving as a bit-mask of generic requests for the passthru request. Discussed on tech-security@ and tech-kern@. Okay tls@.
2006-12-02 06:10:42 +03:00
KAUTH_DEVICE_RAWIO_PASSTHRU, (void *)bits, (void *)(u_long)dev,
data, NULL));
Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU. Expose iskmemdev() through sys/conf.h. okay yamt@
2006-11-04 12:30:00 +03:00
}
Introduce secmodel_register() and secmodel_deregister() (for now left undocumented) and change logic in kauth_authorize_action() to only allow an action if it wasn't explicitly allowed/denied and there are no secmodels loaded. Okay yamt@.
2007-01-16 14:51:22 +03:00
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
kauth_action_t
kauth_mode_to_action(mode_t mode)
{
kauth_action_t action = 0;
if (mode & VREAD)
action |= KAUTH_VNODE_READ_DATA;
if (mode & VWRITE)
action |= KAUTH_VNODE_WRITE_DATA;
if (mode & VEXEC)
action |= KAUTH_VNODE_EXECUTE;
return action;
}
Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with something meaningful. All relevant documentation has been updated or written. Most of these changes were brought up in the following messages: http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html Thanks to christos, manu, njoly, and jmmv for input. Huge thanks to pgoyette for spinning these changes through some build cycles and ATF.
2012-03-13 22:40:26 +04:00
kauth_action_t
kauth_extattr_action(mode_t access_mode)
{
kauth_action_t action = 0;
if (access_mode & VREAD)
action |= KAUTH_VNODE_READ_EXTATTRIBUTES;
if (access_mode & VWRITE)
action |= KAUTH_VNODE_WRITE_EXTATTRIBUTES;
return action;
}
Implement the vnode scope and adapt tmpfs to use it. Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 08:45:27 +04:00
int
kauth_authorize_vnode(kauth_cred_t cred, kauth_action_t action,
struct vnode *vp, struct vnode *dvp, int fs_decision)
{
int error;
error = kauth_authorize_action_internal(kauth_builtin_scope_vnode, cred,
action, vp, dvp, NULL, NULL);
if (error == KAUTH_RESULT_DENY)
return (EACCES);
if (error == KAUTH_RESULT_ALLOW)
return (0);
/*
* If the file-system does not support decision-before-action, we can
* only short-circuit the operation (deny). If we're here, it means no
* listener denied it, so our only alternative is to supposedly-allow
* it and let the file-system have the last word.
*/
if (fs_decision == KAUTH_VNODE_REMOTEFS)
return (0);
return (fs_decision);
}
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
static int
kauth_cred_hook(kauth_cred_t cred, kauth_action_t action, void *arg0,
void *arg1)
{
int r;
r = kauth_authorize_action(kauth_builtin_scope_cred, cred, action,
arg0, arg1, NULL, NULL);
Fix notify only logic for credentials scope. Thanks ad@!
2007-01-31 19:30:09 +03:00
#ifdef DIAGNOSTIC
if (!SIMPLEQ_EMPTY(&kauth_builtin_scope_cred->listenq))
KASSERT(r == 0);
#endif /* DIAGNOSTIC */
Add a new scope, the credentials scope, which is internal to the kauth(9) implementation and meant to be used by security models to hook credential related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(), kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively) and document it. Add specificdata to credentials, and routines to register/deregister new "keys", as well as set/get routines. This allows security models to add their own private data to a kauth_cred_t. The above two, combined, allow security models to control inheritance of their own private data in credentials which is a requirement for doing stuff like, I dunno, capabilities?
2007-01-31 13:08:23 +03:00
return (r);
}
Reference in New Issue Copy Permalink