Introduce KAUTH_REQ_MACHDEP_{ALPHA,X86}_UNMANAGEDMEM to handle access
to unmanaged memory. These are the last two securelevel references in the MD code.
This commit is contained in:
parent
ee1dd181bc
commit
4b316db1d1
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: secmodel_example.c,v 1.6 2006/11/04 09:37:54 elad Exp $ */
|
||||
/* $NetBSD: secmodel_example.c,v 1.7 2006/11/22 12:12:51 elad Exp $ */
|
||||
|
||||
/*
|
||||
* This file is placed in the public domain.
|
||||
|
@ -13,7 +13,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.6 2006/11/04 09:37:54 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.7 2006/11/22 12:12:51 elad Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
|
@ -340,11 +340,19 @@ secmodel_example_machdep_cb(kauth_cred_t cred, kauth_action_t action,
|
|||
result = KAUTH_RESULT_DENY;
|
||||
|
||||
switch (action) {
|
||||
case KAUTH_MACHDEP_ALPHA:
|
||||
switch ((u_long)arg0) {
|
||||
case KAUTH_REQ_MACHDEP_ALPHA_UNMANAGEDMEM:
|
||||
default:
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
break;
|
||||
}
|
||||
case KAUTH_MACHDEP_X86:
|
||||
switch ((u_long)arg0) {
|
||||
case KAUTH_REQ_MACHDEP_X86_IOPL:
|
||||
case KAUTH_REQ_MACHDEP_X86_IOPERM:
|
||||
case KAUTH_REQ_MACHDEP_X86_MTRR_SET:
|
||||
case KAUTH_REQ_MACHDEP_X86_UNMANAGEDMEM:
|
||||
default:
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
break;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: kauth.9,v 1.34 2006/11/19 00:11:30 elad Exp $
|
||||
.\" $NetBSD: kauth.9,v 1.35 2006/11/22 12:12:51 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
.\" All rights reserved.
|
||||
|
@ -28,7 +28,7 @@
|
|||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd November 19, 2006
|
||||
.Dd November 22, 2006
|
||||
.Dt KAUTH 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -446,11 +446,21 @@ In this scope,
|
|||
always indicates the machine for the request.
|
||||
Below is the list of available request hierarchy.
|
||||
.Bl -tag
|
||||
.It Dv KAUTH_MACHDEP_ALPHA
|
||||
The request is alpha specific.
|
||||
.Pp
|
||||
Available requests as
|
||||
.Ar req
|
||||
are:
|
||||
.Bl -tag
|
||||
.It Dv KAUTH_REQ_MACHDEP_ALPHA_UNMANAGEDMEM
|
||||
Access to unmanaged memory requested.
|
||||
.El
|
||||
.It Dv KAUTH_MACHDEP_X86
|
||||
The request is x86 specific.
|
||||
.Pp
|
||||
Available requests as
|
||||
.Ar arg1
|
||||
.Ar req
|
||||
are:
|
||||
.Bl -tag
|
||||
.It Dv KAUTH_REQ_MACHDEP_X86_IOPL
|
||||
|
@ -459,6 +469,8 @@ Checks if IOPL is allowed to be modified.
|
|||
Checks if IOPERM is allowed to be modified.
|
||||
.It Dv KAUTH_REQ_MACHDEP_X86_MTRR_SET
|
||||
Checks if the MTRR can be set.
|
||||
.It Dv KAUTH_REQ_MACHDEP_X86_UNMANAGEDMEM
|
||||
Access to unmanaged memory requested.
|
||||
.El
|
||||
.It Dv KAUTH_MACHDEP_X86_64
|
||||
The request is x86-64 specific.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: machdep.c,v 1.289 2006/10/21 05:54:31 mrg Exp $ */
|
||||
/* $NetBSD: machdep.c,v 1.290 2006/11/22 12:12:51 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1998, 1999, 2000 The NetBSD Foundation, Inc.
|
||||
|
@ -75,7 +75,7 @@
|
|||
|
||||
#include <sys/cdefs.h> /* RCS ID & Copyright macro defns */
|
||||
|
||||
__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.289 2006/10/21 05:54:31 mrg Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.290 2006/11/22 12:12:51 elad Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -104,6 +104,7 @@ __KERNEL_RCSID(0, "$NetBSD: machdep.c,v 1.289 2006/10/21 05:54:31 mrg Exp $");
|
|||
#include <sys/ucontext.h>
|
||||
#include <sys/conf.h>
|
||||
#include <sys/ksyms.h>
|
||||
#include <sys/kauth.h>
|
||||
#include <machine/kcore.h>
|
||||
#include <machine/fpu.h>
|
||||
|
||||
|
@ -1891,7 +1892,8 @@ alpha_pa_access(pa)
|
|||
* Address is not a memory address. If we're secure, disallow
|
||||
* access. Otherwise, grant read/write.
|
||||
*/
|
||||
if (securelevel > 0)
|
||||
if (kauth_authorize_machdep(kauth_cred_get(), KAUTH_MACHDEP_ALPHA,
|
||||
KAUTH_REQ_MACHDEP_ALPHA_UNMANAGEDMEM, NULL, NULL, NULL) != 0)
|
||||
return (PROT_NONE);
|
||||
else
|
||||
return (PROT_READ | PROT_WRITE);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: x86_machdep.c,v 1.3 2006/11/16 01:32:39 christos Exp $ */
|
||||
/* $NetBSD: x86_machdep.c,v 1.4 2006/11/22 12:12:51 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2005 The NetBSD Foundation, Inc.
|
||||
|
@ -37,13 +37,14 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: x86_machdep.c,v 1.3 2006/11/16 01:32:39 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: x86_machdep.c,v 1.4 2006/11/22 12:12:51 elad Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
#include <sys/kcore.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/kauth.h>
|
||||
|
||||
#include <machine/bootinfo.h>
|
||||
#include <machine/vmparam.h>
|
||||
|
@ -98,7 +99,8 @@ check_pa_acc(paddr_t pa, vm_prot_t prot)
|
|||
extern int mem_cluster_cnt;
|
||||
int i;
|
||||
|
||||
if (securelevel <= 0) {
|
||||
if (kauth_authorize_machdep(kauth_cred_get(), KAUTH_MACHDEP_X86,
|
||||
KAUTH_REQ_MACHDEP_X86_UNMANAGEDMEM, NULL, NULL, NULL) == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: secmodel_bsd44_securelevel.c,v 1.14 2006/11/16 01:33:51 christos Exp $ */
|
||||
/* $NetBSD: secmodel_bsd44_securelevel.c,v 1.15 2006/11/22 12:12:51 elad Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
|
@ -38,7 +38,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_securelevel.c,v 1.14 2006/11/16 01:33:51 christos Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_securelevel.c,v 1.15 2006/11/22 12:12:51 elad Exp $");
|
||||
|
||||
#ifdef _KERNEL_OPT
|
||||
#include "opt_insecure.h"
|
||||
|
@ -310,6 +310,17 @@ secmodel_bsd44_securelevel_machdep_cb(kauth_cred_t cred,
|
|||
req = (enum kauth_machdep_req)arg0;
|
||||
|
||||
switch (action) {
|
||||
case KAUTH_MACHDEP_ALPHA:
|
||||
switch (req) {
|
||||
case KAUTH_REQ_MACHDEP_ALPHA_UNMANAGEDMEM:
|
||||
if (securelevel < 0)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
default:
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case KAUTH_MACHDEP_X86:
|
||||
switch (req) {
|
||||
case KAUTH_REQ_MACHDEP_X86_IOPL:
|
||||
|
@ -317,6 +328,10 @@ secmodel_bsd44_securelevel_machdep_cb(kauth_cred_t cred,
|
|||
if (securelevel < 2)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
case KAUTH_REQ_MACHDEP_X86_UNMANAGEDMEM:
|
||||
if (securelevel < 0)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
default:
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
break;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: kauth.h,v 1.20 2006/11/19 00:11:30 elad Exp $ */
|
||||
/* $NetBSD: kauth.h,v 1.21 2006/11/22 12:12:51 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
|
@ -178,7 +178,8 @@ enum kauth_network_req {
|
|||
* Machdep scope - actions.
|
||||
*/
|
||||
enum {
|
||||
KAUTH_MACHDEP_X86=1,
|
||||
KAUTH_MACHDEP_ALPHA=1,
|
||||
KAUTH_MACHDEP_X86,
|
||||
KAUTH_MACHDEP_X86_64
|
||||
};
|
||||
|
||||
|
@ -186,10 +187,12 @@ enum {
|
|||
* Machdep scope - sub-actions.
|
||||
*/
|
||||
enum kauth_machdep_req {
|
||||
KAUTH_REQ_MACHDEP_X86_64_MTRR_GET=1, /* ridiculous. */
|
||||
KAUTH_REQ_MACHDEP_ALPHA_UNMANAGEDMEM=1,
|
||||
KAUTH_REQ_MACHDEP_X86_64_MTRR_GET, /* ridiculous. */
|
||||
KAUTH_REQ_MACHDEP_X86_IOPERM,
|
||||
KAUTH_REQ_MACHDEP_X86_IOPL,
|
||||
KAUTH_REQ_MACHDEP_X86_MTRR_SET
|
||||
KAUTH_REQ_MACHDEP_X86_MTRR_SET,
|
||||
KAUTH_REQ_MACHDEP_X86_UNMANAGEDMEM
|
||||
};
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue