Support device scope.

2006-12-29 18:34:28 +00:00 · 2006-12-29 18:34:28 +00:00 · 4798cd2cab
parent a220cee1c3
commit 4798cd2cab
2 changed files with 42 additions and 3 deletions
--- a/sys/secmodel/overlay/overlay.h
+++ b/sys/secmodel/overlay/overlay.h
@ -1,4 +1,4 @@
-/* $NetBSD: overlay.h,v 1.1 2006/09/08 20:58:57 elad Exp $ */
+/* $NetBSD: overlay.h,v 1.2 2006/12/29 18:34:28 elad Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -45,5 +45,7 @@ int secmodel_overlay_network_cb(kauth_cred_t, kauth_action_t, void *,
    void *, void *, void *, void *);
 int secmodel_overlay_machdep_cb(kauth_cred_t, kauth_action_t, void *,
    void *, void *, void *, void *);
+int secmodel_overlay_device_cb(kauth_cred_t, kauth_action_t, void *,
+    void *, void *, void *, void *);

 #endif /* !_SECMODEL_OVERLAY_OVERLAY_H_ */
--- a/sys/secmodel/overlay/secmodel_overlay.c
+++ b/sys/secmodel/overlay/secmodel_overlay.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_overlay.c,v 1.3 2006/09/17 14:27:40 elad Exp $ */
+/* $NetBSD: secmodel_overlay.c,v 1.4 2006/12/29 18:34:28 elad Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -30,7 +30,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_overlay.c,v 1.3 2006/09/17 14:27:40 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_overlay.c,v 1.4 2006/12/29 18:34:28 elad Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -53,12 +53,14 @@ __KERNEL_RCSID(0, "$NetBSD: secmodel_overlay.c,v 1.3 2006/09/17 14:27:40 elad Ex
 #define	OVERLAY_ISCOPE_PROCESS	"org.netbsd.kauth.overlay.process"
 #define	OVERLAY_ISCOPE_NETWORK	"org.netbsd.kauth.overlay.network"
 #define	OVERLAY_ISCOPE_MACHDEP	"org.netbsd.kauth.overlay.machdep"
+#define	OVERLAY_ISCOPE_DEVICE	"org.netbsd.kauth.overlay.device"

 static kauth_scope_t secmodel_overlay_iscope_generic;
 static kauth_scope_t secmodel_overlay_iscope_system;
 static kauth_scope_t secmodel_overlay_iscope_process;
 static kauth_scope_t secmodel_overlay_iscope_network;
 static kauth_scope_t secmodel_overlay_iscope_machdep;
+static kauth_scope_t secmodel_overlay_iscope_device;

 extern int secmodel_bsd44_curtain;

@ -81,6 +83,8 @@ secmodel_overlay_init(void)
 	    OVERLAY_ISCOPE_NETWORK, NULL, NULL);
 	secmodel_overlay_iscope_machdep = kauth_register_scope(
 	    OVERLAY_ISCOPE_MACHDEP, NULL, NULL);
+	secmodel_overlay_iscope_device = kauth_register_scope(
+	    OVERLAY_ISCOPE_DEVICE, NULL, NULL);

 	/*
 	 * Register fall-back listeners, from bsd44, to each internal
@ -109,6 +113,11 @@ secmodel_overlay_init(void)
 	kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP,
 	    secmodel_bsd44_securelevel_machdep_cb, NULL);

+	kauth_listen_scope(OVERLAY_ISCOPE_DEVICE,
+	    secmodel_bsd44_suser_device_cb, NULL);
+	kauth_listen_scope(OVERLAY_ISCOPE_DEVICE,
+	    secmodel_bsd44_securelevel_device_cb, NULL);
+
 	secmodel_bsd44_init();
 }

@ -176,6 +185,8 @@ secmodel_start(void)
 	    secmodel_overlay_network_cb, NULL);
 	kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
 	    secmodel_overlay_machdep_cb, NULL);
+	kauth_listen_scope(KAUTH_SCOPE_DEVICE,
+	    secmodel_overlay_device_cb, NULL);
 }

 /*
@ -307,3 +318,29 @@ secmodel_overlay_machdep_cb(kauth_cred_t cred, kauth_action_t action,

 	return (result);
 }
+
+/*
+ * Overlay listener for the device scope.
+ */
+int
+secmodel_overlay_device_cb(kauth_cred_t cred, kauth_action_t action,
+    void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	int result;
+
+	result = KAUTH_RESULT_DEFER;
+
+	switch (action) {
+	default:
+		result = KAUTH_RESULT_DEFER;
+		break;
+	}
+
+	if (result == KAUTH_RESULT_DEFER) {
+		result = kauth_authorize_action(
+		    secmodel_overlay_iscope_device, cred, action,
+		    arg0, arg1, arg2, arg3);
+	}
+
+	return (result);
+}