Add and use a network scope action/request for tun(4), similar to ppp(4),
sl(4), and strip(4).
This commit is contained in:
elad
parent
76fc93c832
commit
17c0c1e672
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: kauth.9,v 1.83 2009/05/07 19:26:08 elad Exp $
|
||||
.\" $NetBSD: kauth.9,v 1.84 2009/05/08 11:09:43 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
.\" All rights reserved.
|
||||
@ -633,7 +633,7 @@ there's no way to tell what structure
|
||||
.Ar arg3
|
||||
is.
|
||||
.It Dv KAUTH_NETWORK_INTERFACE_PPP
|
||||
Checks operations performed on the
|
||||
Checks if operations performed on the
|
||||
.Xr ppp 4
|
||||
network interface are allowed.
|
||||
.Pp
|
||||
@ -646,7 +646,7 @@ Checks if adding and enabling a
|
||||
interface to the system is allowed.
|
||||
.El
|
||||
.It Dv KAUTH_NETWORK_INTERFACE_SLIP
|
||||
Checks operations performed on the
|
||||
Checks if operations performed on the
|
||||
.Xr sl 4
|
||||
network interface are allowed.
|
||||
.Pp
|
||||
@ -659,7 +659,7 @@ Checks if adding and enabling a
|
||||
interface to the system is allowed.
|
||||
.El
|
||||
.It Dv KAUTH_NETWORK_INTERFACE_STRIP
|
||||
Checks operations performed on the
|
||||
Checks if operations performed on the
|
||||
.Xr strip 4
|
||||
network interface are allowed.
|
||||
.Pp
|
||||
@ -671,6 +671,19 @@ Check if adding and enabling a
|
||||
.Xr strip 4
|
||||
interface to the system is allowed.
|
||||
.El
|
||||
.It Dv KAUTH_NETWORK_INTERFACE_TUN
|
||||
Checks if operations performed on the
|
||||
.Xr tun 4
|
||||
network interface are allowed.
|
||||
.Pp
|
||||
.Ar req
|
||||
can be one of the following:
|
||||
.Bl -tag -width compact
|
||||
.It Dv KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD
|
||||
Checks if adding and enabling a
|
||||
.Xr tun 4
|
||||
interface to the system is allowed.
|
||||
.El
|
||||
.It Dv KAUTH_NETWORK_FORWSRCRT
|
||||
Checks whether status of forwarding of source-routed packets can be modified
|
||||
or not.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: if_tun.c,v 1.110 2008/11/20 21:55:15 dyoung Exp $ */
|
||||
/* $NetBSD: if_tun.c,v 1.111 2009/05/08 11:09:44 elad Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988, Julian Onions <jpo@cs.nott.ac.uk>
|
||||
@ -15,7 +15,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.110 2008/11/20 21:55:15 dyoung Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.111 2009/05/08 11:09:44 elad Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
|
||||
@ -283,8 +283,9 @@ tunopen(dev_t dev, int flag, int mode, struct lwp *l)
|
||||
struct tun_softc *tp;
|
||||
int s, error;
|
||||
|
||||
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
|
||||
NULL)) != 0)
|
||||
error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_TUN,
|
||||
KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD, NULL, NULL, NULL);
|
||||
if (error)
|
||||
return (error);
|
||||
|
||||
s = splnet();
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: secmodel_bsd44_suser.c,v 1.66 2009/05/07 19:26:09 elad Exp $ */
|
||||
/* $NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
@ -38,7 +38,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.66 2009/05/07 19:26:09 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@ -876,6 +876,7 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@ -888,6 +889,7 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@ -900,6 +902,20 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
break;
|
||||
|
||||
case KAUTH_NETWORK_INTERFACE_TUN:
|
||||
switch (req) {
|
||||
case KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD:
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: kauth.h,v 1.58 2009/05/07 19:26:08 elad Exp $ */
|
||||
/* $NetBSD: kauth.h,v 1.59 2009/05/08 11:09:43 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
@ -187,6 +187,7 @@ enum {
|
||||
KAUTH_NETWORK_INTERFACE_PPP,
|
||||
KAUTH_NETWORK_INTERFACE_SLIP,
|
||||
KAUTH_NETWORK_INTERFACE_STRIP,
|
||||
KAUTH_NETWORK_INTERFACE_TUN,
|
||||
};
|
||||
|
||||
/*
|
||||
@ -223,6 +224,7 @@ enum kauth_network_req {
|
||||
KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD,
|
||||
KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD,
|
||||
KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD,
|
||||
KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD,
|
||||
};
|
||||
|
||||
/*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user