Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Small improvements to kauth(9).

Browse Source
This commit is contained in:
jym 2011-11-08 00:55:53 +00:00
parent aa8703ce6a
commit 28ecaa21fd
1 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
share/man/man9/kauth.9
View File

@ -1,4 +1,4 @@
.\" $NetBSD: kauth.9,v 1.91 2011/04/28 12:22:35 wiz Exp $ .\" $NetBSD: kauth.9,v 1.92 2011/11/08 00:55:53 jym Exp $
.\" .\"
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> .\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved. .\" All rights reserved.
@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd August 10, 2009 .Dd November 8, 2011
.Dt KAUTH 9 .Dt KAUTH 9
.Os .Os
.Sh NAME .Sh NAME
@ -77,11 +77,21 @@ the requested operation, and possibly other information as well.
.Pp .Pp
Every listener examines the passed information and returns its decision Every listener examines the passed information and returns its decision
regarding the requested operation. regarding the requested operation.
It can either allow, deny, or defer the operation -- in which case, the It can either return:
decision is left to the other listeners.
.Pp .Pp
For an operation to be allowed, all listeners must not return any deny .Bl -tag -width KAUTH_RESULT_ALLOW -compact
or defer decisions. .It Dv KAUTH_RESULT_ALLOW
The listener allows the operation.
.It Dv KAUTH_RESULT_DENY
The listener denies the operation.
.It Dv KAUTH_RESULT_DEFER
The listener defers the decision to other listeners.
.El
.Pp
For an operation to be allowed, at least one listener has to return
.Dv KAUTH_RESULT_ALLOW
while no other listener returned
.Dv KAUTH_RESULT_DENY .
.Pp .Pp
Scopes manage listeners that operate in the same aspect of the system. Scopes manage listeners that operate in the same aspect of the system.
.Ss Kernel Programming Interface .Ss Kernel Programming Interface
@ -104,12 +114,14 @@ It is declared as
.Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \ .Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \
"kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3" "kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3"
.Pp .Pp
An authorization request can return one of two possible values. An authorization request can return one of two possible values:
Zero indicates success -- the operation is allowed; .Bl -tag -width ".It Dv 0 Po zero Pc" -compact
.Er EPERM .It Dv 0 Po zero Pc
(see indicates success; operation is allowed.
.Xr errno 2 ) .It Dv EPERM
indicates failure -- the operation is denied. indicates failure; operation is denied. See
.Xr errno 2 .
.El
.Pp .Pp
Each scope has its own authorization wrapper, to make it easy to call from various Each scope has its own authorization wrapper, to make it easy to call from various
places by eliminating the need to specify the scope and/or cast values. places by eliminating the need to specify the scope and/or cast values.