From 432c30993162bcec673387eccd1fe0e458f016ea Mon Sep 17 00:00:00 2001
From: elad <elad@NetBSD.org>
Date: Sat, 2 Dec 2006 03:10:42 +0000
Subject: [PATCH] Change kauth(9) KPI for kauth_authorize_device_passthru() to
 add another argument, u_long, serving as a bit-mask of generic requests for
 the passthru request.

Discussed on tech-security@ and tech-kern@. Okay tls@.
---
 share/man/man9/kauth.9                        | 23 +++++++++++++----
 sys/dev/i2o/dpti.c                            |  7 +++---
 sys/dev/i2o/iop.c                             |  7 +++---
 sys/dev/ic/dpt.c                              |  7 +++---
 sys/dev/ic/icp_ioctl.c                        |  7 +++---
 sys/dev/ic/mlx.c                              |  7 +++---
 sys/dev/pci/amr.c                             |  7 +++---
 sys/dev/pci/mly.c                             |  7 +++---
 sys/dev/pci/twe.c                             |  7 +++---
 sys/dev/tc/stic.c                             |  7 +++---
 sys/kern/kern_auth.c                          | 11 ++++----
 .../bsd44/secmodel_bsd44_securelevel.c        | 25 ++++++++++++++-----
 sys/sys/kauth.h                               | 13 ++++++++--
 13 files changed, 90 insertions(+), 45 deletions(-)

diff --git a/share/man/man9/kauth.9 b/share/man/man9/kauth.9
index 5dda38a8a8ac..7dee81556595 100644
--- a/share/man/man9/kauth.9
+++ b/share/man/man9/kauth.9
@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.36 2006/11/28 17:27:10 elad Exp $
+.\" $NetBSD: kauth.9,v 1.37 2006/12/02 03:10:42 elad Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@@ -28,7 +28,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 28, 2006
+.Dd December 2, 2006
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -598,7 +598,7 @@ if ((vp-\*[Gt]v_type == VCHR) \*[Am]\*[Am]
 .Ed
 .Pp
 .Ft int Fn kauth_authorize_device_passthru "kauth_cred_t cred" "dev_t dev" \
-"void *data"
+"u_long mode" "void *data"
 .Pp
 Authorizes hardware
 .Em passthru
@@ -607,11 +607,24 @@ These have the potential of resulting in direct disk and/or memory access.
 .Pp
 It passes
 .Dq KAUTH_DEVICE_RAWIO_PASSTHRU
-as the action to the listener, and accepts two arguments.
+as the action to the listener, and accepts three arguments.
 .Ar dev ,
 passed as
 .Ar arg1
-to the listener, is the device for which the request is made, and
+to the listener, is the device for which the request is made.
+.Ar mode ,
+passed as
+.Ar arg0
+to the listener, is a generic representation of the access mode requested.
+It can be one or more (binary-OR'd) of the following:
+.Pp
+.Bl -tag -offset indent -compact
+.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ
+.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF
+.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE
+.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF
+.El
+.Pp
 .Ar data ,
 passed as
 .Ar arg2
diff --git a/sys/dev/i2o/dpti.c b/sys/dev/i2o/dpti.c
index 1b8befdd7f71..605938eaa75f 100644
--- a/sys/dev/i2o/dpti.c
+++ b/sys/dev/i2o/dpti.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: dpti.c,v 1.30 2006/11/16 01:32:50 christos Exp $	*/
+/*	$NetBSD: dpti.c,v 1.31 2006/12/02 03:10:42 elad Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -64,7 +64,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dpti.c,v 1.30 2006/11/16 01:32:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dpti.c,v 1.31 2006/12/02 03:10:42 elad Exp $");
 
 #include "opt_i2o.h"
 
@@ -277,7 +277,8 @@ dptiioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
 		break;
 
 	case DPT_I2OUSRCMD:
-		rv = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		rv = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (rv)
 			break;
 
diff --git a/sys/dev/i2o/iop.c b/sys/dev/i2o/iop.c
index 740e5fff2d81..fdb157735108 100644
--- a/sys/dev/i2o/iop.c
+++ b/sys/dev/i2o/iop.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: iop.c,v 1.61 2006/11/16 01:32:50 christos Exp $	*/
+/*	$NetBSD: iop.c,v 1.62 2006/12/02 03:10:42 elad Exp $	*/
 
 /*-
  * Copyright (c) 2000, 2001, 2002 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: iop.c,v 1.61 2006/11/16 01:32:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: iop.c,v 1.62 2006/12/02 03:10:42 elad Exp $");
 
 #include "opt_i2o.h"
 #include "iop.h"
@@ -2526,7 +2526,8 @@ iopioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
 
 	switch (cmd) {
 	case IOPIOCPT:
-		rv = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		rv = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (rv)
 			return (rv);
 
diff --git a/sys/dev/ic/dpt.c b/sys/dev/ic/dpt.c
index 073f78c6ad27..c0c3fbf331bc 100644
--- a/sys/dev/ic/dpt.c
+++ b/sys/dev/ic/dpt.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: dpt.c,v 1.54 2006/11/16 01:32:51 christos Exp $	*/
+/*	$NetBSD: dpt.c,v 1.55 2006/12/02 03:10:42 elad Exp $	*/
 
 /*-
  * Copyright (c) 1997, 1998, 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -78,7 +78,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: dpt.c,v 1.54 2006/11/16 01:32:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: dpt.c,v 1.55 2006/12/02 03:10:42 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1155,7 +1155,8 @@ dptioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
 		break;
 
 	case DPT_EATAUSRCMD:
-		rv = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		rv = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (rv)
 			return (rv);
 
diff --git a/sys/dev/ic/icp_ioctl.c b/sys/dev/ic/icp_ioctl.c
index 8172d15e18f7..9328333382f4 100644
--- a/sys/dev/ic/icp_ioctl.c
+++ b/sys/dev/ic/icp_ioctl.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: icp_ioctl.c,v 1.13 2006/11/16 01:32:51 christos Exp $	*/
+/*	$NetBSD: icp_ioctl.c,v 1.14 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 2003 The NetBSD Foundation, Inc.
@@ -76,7 +76,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icp_ioctl.c,v 1.13 2006/11/16 01:32:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icp_ioctl.c,v 1.14 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -134,7 +134,8 @@ icpioctl(dev_t dev, u_long cmd, caddr_t data, int flag,
 		struct icp_softc *icp;
 		gdt_ucmd_t *ucmd = (void *) data;
 
-		error = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		error = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (error)
 			break;
 
diff --git a/sys/dev/ic/mlx.c b/sys/dev/ic/mlx.c
index d712262e2a94..36c5a3c9ddd1 100644
--- a/sys/dev/ic/mlx.c
+++ b/sys/dev/ic/mlx.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: mlx.c,v 1.48 2006/11/16 01:32:51 christos Exp $	*/
+/*	$NetBSD: mlx.c,v 1.49 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -74,7 +74,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mlx.c,v 1.48 2006/11/16 01:32:51 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mlx.c,v 1.49 2006/12/02 03:10:43 elad Exp $");
 
 #include "ld.h"
 
@@ -798,7 +798,8 @@ mlxioctl(dev_t dev, u_long cmd, caddr_t data, int flag,
 		return (0);
 
 	case MLX_COMMAND:
-		rv = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		rv = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (rv)
 			return (rv);
 
diff --git a/sys/dev/pci/amr.c b/sys/dev/pci/amr.c
index 2f3d247e7381..0e4ff882cc4e 100644
--- a/sys/dev/pci/amr.c
+++ b/sys/dev/pci/amr.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: amr.c,v 1.42 2006/11/25 16:48:32 christos Exp $	*/
+/*	$NetBSD: amr.c,v 1.43 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
@@ -71,7 +71,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: amr.c,v 1.42 2006/11/25 16:48:32 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: amr.c,v 1.43 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1377,7 +1377,8 @@ amrioctl(dev_t dev, u_long cmd, caddr_t data, int flag,
 		*(int *)data = AMR_IO_VERSION_NUMBER;
 		return 0;
 	case AMR_IO_COMMAND:
-		error = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		error = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (error)
 			return (error);
 
diff --git a/sys/dev/pci/mly.c b/sys/dev/pci/mly.c
index 7d46eb3786ef..b77f8c65dde6 100644
--- a/sys/dev/pci/mly.c
+++ b/sys/dev/pci/mly.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: mly.c,v 1.32 2006/11/16 01:33:09 christos Exp $	*/
+/*	$NetBSD: mly.c,v 1.33 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -77,7 +77,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mly.c,v 1.32 2006/11/16 01:33:09 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mly.c,v 1.33 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -2318,7 +2318,8 @@ mlyioctl(dev_t dev, u_long cmd, caddr_t data, int flag,
 
 	switch (cmd) {
 	case MLYIO_COMMAND:
-		rv = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		rv = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (rv)
 			break;
 
diff --git a/sys/dev/pci/twe.c b/sys/dev/pci/twe.c
index 75c3c5b8a5aa..9f59104247a5 100644
--- a/sys/dev/pci/twe.c
+++ b/sys/dev/pci/twe.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: twe.c,v 1.81 2006/11/16 01:33:10 christos Exp $	*/
+/*	$NetBSD: twe.c,v 1.82 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 2000, 2001, 2002, 2003, 2004 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: twe.c,v 1.81 2006/11/16 01:33:10 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: twe.c,v 1.82 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1773,7 +1773,8 @@ tweioctl(dev_t dev, u_long cmd, caddr_t data, int flag,
 	/* This is intended to be compatible with the FreeBSD interface. */
 	switch (cmd) {
 	case TWEIO_COMMAND:
-		error = kauth_authorize_device_passthru(l->l_cred, dev, data);
+		error = kauth_authorize_device_passthru(l->l_cred, dev,
+		    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, data);
 		if (error)
 			return (error);
 
diff --git a/sys/dev/tc/stic.c b/sys/dev/tc/stic.c
index ce45621b4ca7..71fa950d6454 100644
--- a/sys/dev/tc/stic.c
+++ b/sys/dev/tc/stic.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: stic.c,v 1.36 2006/11/08 02:53:31 dogcow Exp $	*/
+/*	$NetBSD: stic.c,v 1.37 2006/12/02 03:10:43 elad Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -73,7 +73,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: stic.c,v 1.36 2006/11/08 02:53:31 dogcow Exp $");
+__KERNEL_RCSID(0, "$NetBSD: stic.c,v 1.37 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -1459,7 +1459,8 @@ sticopen(dev_t dev, int flag, int mode, struct lwp *l)
 	struct stic_info *si;
 	int s, error;
 
-	error = kauth_authorize_device_passthru(l->l_cred, dev, NULL);
+	error = kauth_authorize_device_passthru(l->l_cred, dev,
+	    KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL, NULL);
 	if (error)
 		return (error);
 	if (minor(dev) >= STIC_MAXDV)
diff --git a/sys/kern/kern_auth.c b/sys/kern/kern_auth.c
index f4f4bb48d37c..b120dac4d378 100644
--- a/sys/kern/kern_auth.c
+++ b/sys/kern/kern_auth.c
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_auth.c,v 1.32 2006/11/19 00:11:29 elad Exp $ */
+/* $NetBSD: kern_auth.c,v 1.33 2006/12/02 03:10:43 elad Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.32 2006/11/19 00:11:29 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.33 2006/12/02 03:10:43 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -835,9 +835,10 @@ kauth_authorize_device_spec(kauth_cred_t cred, enum kauth_device_req req,
 }
 
 int
-kauth_authorize_device_passthru(kauth_cred_t cred, dev_t dev, void *data)
+kauth_authorize_device_passthru(kauth_cred_t cred, dev_t dev, u_long bits,
+    void *data)
 {
 	return (kauth_authorize_action(kauth_builtin_scope_device, cred,
-	    KAUTH_DEVICE_RAWIO_PASSTHRU, 0, (void *)(u_long)dev, data,
-	    NULL));
+	    KAUTH_DEVICE_RAWIO_PASSTHRU, (void *)bits, (void *)(u_long)dev,
+	    data, NULL));
 }
diff --git a/sys/secmodel/bsd44/secmodel_bsd44_securelevel.c b/sys/secmodel/bsd44/secmodel_bsd44_securelevel.c
index 8cad8e29c92a..56af25e59033 100644
--- a/sys/secmodel/bsd44/secmodel_bsd44_securelevel.c
+++ b/sys/secmodel/bsd44/secmodel_bsd44_securelevel.c
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44_securelevel.c,v 1.18 2006/11/28 17:27:10 elad Exp $ */
+/* $NetBSD: secmodel_bsd44_securelevel.c,v 1.19 2006/12/02 03:10:43 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_securelevel.c,v 1.18 2006/11/28 17:27:10 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_securelevel.c,v 1.19 2006/12/02 03:10:43 elad Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@@ -398,17 +398,17 @@ secmodel_bsd44_securelevel_device_cb(kauth_cred_t cred,
     void *arg1, void *arg2, void *arg3)
 {
 	int result;
-	enum kauth_device_req req;
 
 	result = KAUTH_RESULT_DENY;
-	req = (enum kauth_device_req)arg0;
 
 	switch (action) {
 	case KAUTH_DEVICE_RAWIO_SPEC: {
 		struct vnode *vp, *bvp;
+		enum kauth_device_req req;
 		dev_t dev;
 		int d_type;
 
+		req = (enum kauth_device_req)arg0;
 		vp = arg1;
 
 		KASSERT(vp != NULL);
@@ -505,11 +505,24 @@ secmodel_bsd44_securelevel_device_cb(kauth_cred_t cred,
 		break;
 		}
 
-	case KAUTH_DEVICE_RAWIO_PASSTHRU:
-		if (securelevel < 1)
+	case KAUTH_DEVICE_RAWIO_PASSTHRU: {
+		if (securelevel > 0) {
+			u_long bits;
+
+			bits = (u_long)arg0;
+
+			KASSERT(bits != 0);
+			KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0);
+
+			if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
+				result = KAUTH_RESULT_DENY;
+			else
+				result = KAUTH_RESULT_ALLOW;
+		} else
 			result = KAUTH_RESULT_ALLOW;
 
 		break;
+		}
 
 	default:
 		result = KAUTH_RESULT_DEFER;
diff --git a/sys/sys/kauth.h b/sys/sys/kauth.h
index 5421f3ba8bf3..4f38df60290f 100644
--- a/sys/sys/kauth.h
+++ b/sys/sys/kauth.h
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.24 2006/11/28 17:27:10 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.25 2006/12/02 03:10:44 elad Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@@ -220,6 +220,15 @@ enum kauth_device_req {
 	KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
 };
 
+/*
+ * Device scope, passthru request - identifiers.
+ */
+#define	KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ		0x00000001
+#define	KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE		0x00000002
+#define	KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF	0x00000004
+#define	KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF	0x00000008
+#define	KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL		0x0000000F
+
 #define NOCRED ((kauth_cred_t)-1)	/* no credential available */
 #define FSCRED ((kauth_cred_t)-2)	/* filesystem credential */
 
@@ -252,7 +261,7 @@ int kauth_authorize_device(kauth_cred_t, kauth_action_t,
 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *);
 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
     struct vnode *);
-int kauth_authorize_device_passthru(kauth_cred_t, dev_t, void *);
+int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
 
 /* Kauth credentials management routines. */
 kauth_cred_t kauth_cred_alloc(void);