Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,

Browse Source 
used to manage network interfaces.

Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.
This commit is contained in:
elad 2006-10-20 23:10:33 +00:00
parent a5d447aee5
commit 305fe09181
4 changed files with 89 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
share/examples/secmodel/secmodel_example.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: secmodel_example.c,v 1.3 2006/10/20 22:02:54 elad Exp $ */
/* $NetBSD: secmodel_example.c,v 1.4 2006/10/20 23:10:33 elad Exp $ */
/*
* This file is placed in the public domain.
@ -13,7 +13,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.3 2006/10/20 22:02:54 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.4 2006/10/20 23:10:33 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -327,6 +327,24 @@ secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
}
break;
case KAUTH_NETWORK_FORWSRCRT:
break;
case KAUTH_NETWORK_INTERFACE:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_INTERFACE_GET:
case KAUTH_REQ_NETWORK_INTERFACE_SET:
case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_NETWORK_ROUTE:
break;
case KAUTH_NETWORK_SOCKET:
switch((u_long)arg0) {
case KAUTH_REQ_NETWORK_SOCKET_ATTACH:
@ -338,8 +356,6 @@ secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
}
break;
case KAUTH_NETWORK_FORWSRCRT:
case KAUTH_NETWORK_ROUTE:
default:
result = KAUTH_RESULT_DEFER;
break;

19
share/man/man9/kauth.9
View File

@ -1,4 +1,4 @@
.\" $NetBSD: kauth.9,v 1.21 2006/10/20 22:02:54 elad Exp $
.\" $NetBSD: kauth.9,v 1.22 2006/10/20 23:10:34 elad Exp $
.\"
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved.
@ -28,7 +28,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd October 20, 2006
.Dd October 21, 2006
.Dt KAUTH 9
.Os
.Sh NAME
@ -399,6 +399,21 @@ Modification of packet filtering rules.
.It Dv KAUTH_REQ_NETWORK_FIREWALL_NAT
Modification of NAT rules.
.El
.It Dv KAUTH_NETWORK_INTERFACE
Checks if network interface-related operations are allowed.
.Pp
.Ar req
indicates the sub-action, and can be one of the following:
.Bl -tag
.It Dv KAUTH_REQ_NETWORK_INTERFACE_GET
Check if retrieving information from the device is allowed.
.It Dv KAUTH_REQ_NETWORK_INTERFACE_GETPRIV
Check if retrieving privileged information from the device is allowed.
.It Dv KAUTH_REQ_NETWORK_INTERFACE_SET
Check if setting parameters on the device is allowed.
.It Dv KAUTH_REQ_NETWORK_INTERFACE_SETPRIV
Check if setting privileged parameters on the device is allowed.
.El
.It Dv KAUTH_NETWORK_FORWSRCRT
Checks whether status of forwarding of source-routed packets can be modified
or not.

73
sys/secmodel/bsd44/secmodel_bsd44_suser.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: secmodel_bsd44_suser.c,v 1.10 2006/10/20 22:02:54 elad Exp $ */
/* $NetBSD: secmodel_bsd44_suser.c,v 1.11 2006/10/20 23:10:34 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
@ -43,7 +43,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.10 2006/10/20 22:02:54 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.11 2006/10/20 23:10:34 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -303,6 +303,50 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
break;
case KAUTH_NETWORK_BIND:
switch (req) {
case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_ALLOW;
break;
}
break;
case KAUTH_NETWORK_INTERFACE:
switch (req) {
case KAUTH_REQ_NETWORK_INTERFACE_GET:
case KAUTH_REQ_NETWORK_INTERFACE_SET:
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_NETWORK_ROUTE:
switch (((struct rt_msghdr *)arg1)->rtm_type) {
case RTM_GET:
result = KAUTH_RESULT_ALLOW;
break;
default:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
}
break;
case KAUTH_NETWORK_SOCKET:
switch (req) {
case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK:
@ -330,31 +374,6 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
break;
case KAUTH_NETWORK_BIND:
switch (req) {
case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_ALLOW;
break;
}
break;
case KAUTH_NETWORK_ROUTE:
switch (((struct rt_msghdr *)arg1)->rtm_type) {
case RTM_GET:
result = KAUTH_RESULT_ALLOW;
break;
default:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;

7
sys/sys/kauth.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: kauth.h,v 1.13 2006/10/20 22:02:54 elad Exp $ */
/* $NetBSD: kauth.h,v 1.14 2006/10/20 23:10:33 elad Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -143,6 +143,7 @@ enum {
KAUTH_NETWORK_ALTQ=1,
KAUTH_NETWORK_BIND,
KAUTH_NETWORK_FIREWALL,
KAUTH_NETWORK_INTERFACE,
KAUTH_NETWORK_FORWSRCRT,
KAUTH_NETWORK_ROUTE,
KAUTH_NETWORK_SOCKET
@ -168,6 +169,10 @@ enum kauth_network_req {
KAUTH_REQ_NETWORK_BIND_PRIVPORT,
KAUTH_REQ_NETWORK_FIREWALL_FW,
KAUTH_REQ_NETWORK_FIREWALL_NAT,
KAUTH_REQ_NETWORK_INTERFACE_GET,
KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
KAUTH_REQ_NETWORK_INTERFACE_SET,
KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
KAUTH_REQ_NETWORK_SOCKET_ATTACH,
KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
KAUTH_REQ_NETWORK_SOCKET_CANSEE