Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,

used to manage network interfaces.

Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.

share/examples/secmodel/secmodel_example.c

@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_example.c,v 1.3 2006/10/20 22:02:54 elad Exp $ */
+/* $NetBSD: secmodel_example.c,v 1.4 2006/10/20 23:10:33 elad Exp $ */
 
 /*
  * This file is placed in the public domain.
@@ -13,7 +13,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.3 2006/10/20 22:02:54 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.4 2006/10/20 23:10:33 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -327,6 +327,24 @@ secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
                 }
                 break;
 
+        case KAUTH_NETWORK_FORWSRCRT:
+		break;
+
+	case KAUTH_NETWORK_INTERFACE:
+		switch ((u_long)arg0) {
+		case KAUTH_REQ_NETWORK_INTERFACE_GET:
+		case KAUTH_REQ_NETWORK_INTERFACE_SET:
+		case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
+		case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
+		default:
+			result = KAUTH_RESULT_DEFER;
+			break;
+		}
+		break;
+
+        case KAUTH_NETWORK_ROUTE:
+		break;
+
         case KAUTH_NETWORK_SOCKET:
                 switch((u_long)arg0) {
                 case KAUTH_REQ_NETWORK_SOCKET_ATTACH:
@@ -338,8 +356,6 @@ secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
                 }
                 break;
 
-        case KAUTH_NETWORK_FORWSRCRT:
-        case KAUTH_NETWORK_ROUTE:
         default:
                 result = KAUTH_RESULT_DEFER;
                 break;

share/man/man9/kauth.9

@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.21 2006/10/20 22:02:54 elad Exp $
+.\" $NetBSD: kauth.9,v 1.22 2006/10/20 23:10:34 elad Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@@ -28,7 +28,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd October 20, 2006
+.Dd October 21, 2006
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -399,6 +399,21 @@ Modification of packet filtering rules.
 .It Dv KAUTH_REQ_NETWORK_FIREWALL_NAT
 Modification of NAT rules.
 .El
+.It Dv KAUTH_NETWORK_INTERFACE
+Checks if network interface-related operations are allowed.
+.Pp
+.Ar req
+indicates the sub-action, and can be one of the following:
+.Bl -tag
+.It Dv KAUTH_REQ_NETWORK_INTERFACE_GET
+Check if retrieving information from the device is allowed.
+.It Dv KAUTH_REQ_NETWORK_INTERFACE_GETPRIV
+Check if retrieving privileged information from the device is allowed.
+.It Dv KAUTH_REQ_NETWORK_INTERFACE_SET
+Check if setting parameters on the device is allowed.
+.It Dv KAUTH_REQ_NETWORK_INTERFACE_SETPRIV
+Check if setting privileged parameters on the device is allowed.
+.El
 .It Dv KAUTH_NETWORK_FORWSRCRT
 Checks whether status of forwarding of source-routed packets can be modified
 or not.

sys/secmodel/bsd44/secmodel_bsd44_suser.c

@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44_suser.c,v 1.10 2006/10/20 22:02:54 elad Exp $ */
+/* $NetBSD: secmodel_bsd44_suser.c,v 1.11 2006/10/20 23:10:34 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -43,7 +43,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.10 2006/10/20 22:02:54 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.11 2006/10/20 23:10:34 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -303,6 +303,50 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
 
 		break;
 
+	case KAUTH_NETWORK_BIND:
+		switch (req) {
+		case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+			break;
+		default:
+			result = KAUTH_RESULT_ALLOW;
+			break;
+		}
+		break;
+
+	case KAUTH_NETWORK_INTERFACE:
+		switch (req) {
+		case KAUTH_REQ_NETWORK_INTERFACE_GET:
+		case KAUTH_REQ_NETWORK_INTERFACE_SET:
+			result = KAUTH_RESULT_ALLOW;
+			break;
+
+		case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
+		case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+			break;
+
+		default:
+			result = KAUTH_RESULT_DEFER;
+			break;
+		}
+		break;
+
+	case KAUTH_NETWORK_ROUTE:
+		switch (((struct rt_msghdr *)arg1)->rtm_type) {
+		case RTM_GET:
+			result = KAUTH_RESULT_ALLOW;
+			break;
+
+		default:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+			break;
+		}
+		break;
+
 	case KAUTH_NETWORK_SOCKET:
 		switch (req) {
 		case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK:
@@ -330,31 +374,6 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
 
 		break;
 
-	case KAUTH_NETWORK_BIND:
-		switch (req) {
-		case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
-			if (isroot)
-				result = KAUTH_RESULT_ALLOW;
-			break;
-		default:
-			result = KAUTH_RESULT_ALLOW;
-			break;
-		}
-		break;
-
-	case KAUTH_NETWORK_ROUTE:
-		switch (((struct rt_msghdr *)arg1)->rtm_type) {
-		case RTM_GET:
-			result = KAUTH_RESULT_ALLOW;
-			break;
-
-		default:
-			if (isroot)
-				result = KAUTH_RESULT_ALLOW;
-			break;
-		}
-		break;
-
 	default:
 		result = KAUTH_RESULT_DEFER;
 		break;

sys/sys/kauth.h

@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.13 2006/10/20 22:02:54 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.14 2006/10/20 23:10:33 elad Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@@ -143,6 +143,7 @@ enum {
 	KAUTH_NETWORK_ALTQ=1,
 	KAUTH_NETWORK_BIND,
 	KAUTH_NETWORK_FIREWALL,
+	KAUTH_NETWORK_INTERFACE,
 	KAUTH_NETWORK_FORWSRCRT,
 	KAUTH_NETWORK_ROUTE,
 	KAUTH_NETWORK_SOCKET
@@ -168,6 +169,10 @@ enum kauth_network_req {
 	KAUTH_REQ_NETWORK_BIND_PRIVPORT,
 	KAUTH_REQ_NETWORK_FIREWALL_FW,
 	KAUTH_REQ_NETWORK_FIREWALL_NAT,
+	KAUTH_REQ_NETWORK_INTERFACE_GET,
+	KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
+	KAUTH_REQ_NETWORK_INTERFACE_SET,
+	KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
 	KAUTH_REQ_NETWORK_SOCKET_ATTACH,
 	KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
 	KAUTH_REQ_NETWORK_SOCKET_CANSEE