Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First take at security model abstraction.

Browse Source 
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
This commit is contained in:
elad 2006-09-08 20:58:56 +00:00
parent 296c01bb4f
commit 5f7169ccb1
50 changed files with 2388 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
distrib/sets/lists/comp/mi
View File

@ -1,4 +1,4 @@
# $NetBSD: mi,v 1.920 2006/09/07 00:20:28 ad Exp $
# $NetBSD: mi,v 1.921 2006/09/08 20:58:58 elad Exp $
./etc/mtree/set.comp comp-sys-root
./usr/bin/addr2line comp-debug-bin bfd
./usr/bin/ar comp-util-bin bfd
@ -7042,6 +7042,7 @@
./usr/share/man/cat9/sched_unlock_idle.0 comp-sys-catman .cat
./usr/share/man/cat9/scheduler.0 comp-sys-catman .cat
./usr/share/man/cat9/scsipi.0 comp-sys-catman .cat
./usr/share/man/cat9/secmodel.0 comp-sys-catman .cat
./usr/share/man/cat9/selnotify.0 comp-sys-catman .cat
./usr/share/man/cat9/selrecord.0 comp-sys-catman .cat
./usr/share/man/cat9/selwakeup.0 comp-sys-catman .cat
@ -11213,6 +11214,7 @@
./usr/share/man/man9/sched_unlock_idle.9 comp-sys-man .man
./usr/share/man/man9/scheduler.9 comp-sys-man .man
./usr/share/man/man9/scsipi.9 comp-sys-man .man
./usr/share/man/man9/secmodel.9 comp-sys-man .man
./usr/share/man/man9/selnotify.9 comp-sys-man .man
./usr/share/man/man9/selrecord.9 comp-sys-man .man
./usr/share/man/man9/selwakeup.9 comp-sys-man .man

4
share/man/man9/Makefile
View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.209 2006/09/06 18:15:35 wiz Exp $
# $NetBSD: Makefile,v 1.210 2006/09/08 20:58:56 elad Exp $
# Makefile for section 9 (kernel function and variable) manual pages.
@ -36,7 +36,7 @@ MAN= altq.9 arc4random.9 arp.9 audio.9 autoconf.9 \
radio.9 ras.9 rasops.9 ratecheck.9 resettodr.9 rnd.9 rssadapt.9 \
rt_timer.9 RUN_ONCE.9 \
SCHED_LOCK.9 scheduler.9 \
scsipi.9 setjmp.9 setrunqueue.9 shutdownhook_establish.9 \
scsipi.9 secmodel.9 setjmp.9 setrunqueue.9 shutdownhook_establish.9 \
signal.9 softintr.9 spl.9 store.9 suspendsched.9 \
sysctl.9 tc.9 timecounter.9 time_second.9 \
todr.9 uiomove.9 ucom.9 userret.9 \

365
share/man/man9/secmodel.9 Normal file
View File

@ -0,0 +1,365 @@
.\" $NetBSD: secmodel.9,v 1.1 2006/09/08 20:58:56 elad Exp $
.\"
.\" Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Elad Efrat.
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd September 8, 2006
.Dt SECMODEL 9
.Os
.Sh NAME
.Nm secmodel
.Nd security model development guidelines
.Sh DESCRIPTION
.Nx
provides a complete abstraction of the underlying security model used with
the operating system to a set of
.Xr kauth 9
scopes and actions.
.Pp
It is possible to modify the security model -- either slightly or using an
entirely different model -- by attaching/detaching
.Xr kauth 9
listeners.
This document describes this process.
.Ss Background
In
.Nx 4.0 ,
Kernel Authorization --
.Xr kauth 9
-- was introduced as the subsystem responsible for authorization and
credential management.
Before its introduction, there were several ways for providing resource access
control:
.Bl -dash -offset indent -compact
.It
Checking if the user in question is the superuser via
.Xr suser 9 .
.It
Comparing the user-id against hard-coded values, often zero,
.It
Checking the system securelevel.
.El
.Pp
The problem with the above is that the interface ("can X do Y?") was
tightly coupled with the implementation ("is X Z?").
.Xr kauth 9
allowed us to separate them, dispatching requests with highly detailed
context using
a consistent and clear KPI.
.Pp
The result is a pluggable framework for attaching "listeners" that can
modify the behavior of the system, security-wise.
It allows us to maintain the existing security model (based on a single
superuser and above-superuser restrictions known as securelevel) but easily
decouple it from the system, given we want to use a different one.
.Pp
The different security model can be implemented in the kernel or loaded as an
LKM, base its decisions on available information, dispatch the decision to a
userspace daemon, or even to a centralized network authorization server.
.Ss The kauth(9) KPI
Before writing a new security model, one should be familiar with the
.Xr kauth 9
KPI, its limitations, requirements, and so on.
.Pp
First, some terminology.
According to
.Xr kauth 9 ,
the system is logically divided to scopes, where each scope denotes a
different area of interest in the system -- something like a namespace.
For example,
.Nx
has the process, network, and machdep scopes, representing process-related,
network-related, and machdep-related actions.
.Pp
Each scope has a collection of actions -- or requests -- forming the high
level indication of the request type.
Each request is automatically associated with credentials and between zero
to four arguments providing the request context.
.Pp
For example, in the process scope there are requests such as "can signal",
"can change rlimits", and "can change corename".
.Pp
Each scope in the system is associated with listeners, which are actually
callback routines, that get called when an authorization request on the
relevant scope takes place.
.Pp
Every listener receives the request and its context, and can make a decision
of either "allow", "deny", or "defer" (if it doesn't want to be the one
deciding).
.Pp
It is important to note that a single "deny" is enough to fail a request,
and at least a single "allow" is required to allow it.
In other words, it is impossible to attach listeners that weaken the security
of the system or override decisions made by other listeners.
.Pp
At last, there are several things you should remember about
.Xr kauth 9 :
.Bl -dash -offset indent
.It
Authorization requests can not be issued when the kernel is holding any
locks.
This is a requirement from kernel code, to allow designing security models
where the request should be dispatched to userspace or a different host.
.It
Private listener data -- such as internal data-structures -- is entirely
under the resonsibility of the developer.
Locking, synchronization, and garbage collection are all things that
.Xr kauth 9
does
.Em not
take care of for you!
.El
.Ss Writing a new security model
A security model is composed of (code-wise) the following components:
.Bl -enum -offset indent
.It
A
.Fn secmodel_start
routine, receiving and returning void.
This routine registers the various listeners for the security model.
.It
An "init" routine, named
.Fn secmodel_<model>_init ,
receiving and returning void.
This routine is used to initialize any private data-structures that may be
used by the model.
If none exist, it can be omitted.
It should be called from
.Fn secmodel_start .
.It
A sysctl(9) setup routine for the model.
This should create an entry for the model in the
.Xr sysctl 9
namespace, under the "security.models.<model>" hierarchy.
.It
All "knobs" for the model should be located under the new node, as well
as a mandatory "name" variable, indicating a descriptive human-readable
name for the model.
.It
Optionally, internal data-structures used by the model. These must all
be prefixed with "secmodel_<model>_".
.It
A set of listeners, attached to various scopes, used to enforce the policy
the model intends to implement.
.El
.Pp
Below is sample code for a
.Xr kauth 9
network scope listener for the
.Em jenna
security model.
It is used to allow users with a user-id below 1000 bind to reserved ports
(for example, 22/TCP):
.Bd -literal -offset indent
int
secmodel_jenna_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
/* Default defer. */
result = KAUTH_RESULT_DEFER;
switch (action) {
case KAUTH_NETWORK_BIND:
/*
* We only care about bind(2) requests to privileged
* ports.
*/
if ((u_long)arg0 == KAUTH_REQ_NETWORK_BIND_PRIVPORT) {
/*
* If the user-id is below 1000, which may
* indicate a "reserved" user-id, allow the
* request.
*/
if (kauth_cred_geteuid(cred) < 1000)
result = KAUTH_RESULT_ALLOW;
}
break;
}
return (result);
}
.Ed
.Pp
There are two main issues, however, with that listener, that you should be
aware of when approaching to write your own security model:
.Bl -enum -offset indent
.It
As mentioned,
.Xr kauth 9
uses restrictive decisions: if you attach this listener on-top of an existing
security model, even if it would allow the request, it could still be failed.
.It
If you attach this listener as the only listener for the network scope,
there are many other requests that will be deferred and, eventually,
denied -- which may not be desired.
.El
.Pp
That's why before implementing listeners, it should be clear whether they
implement an entirely new from scratch security model, or add on-top of an
existing one.
.Ss Adding on-top of an existing security model
One of the shortcomings of
.Xr kauth 9
is that it does not provide any stacking mechanism, similar to Linux Security
Modules (LSM).
This, however, is considered a feature in reducing dependency on other people's
code.
.Pp
To properly "stack" minor adjustments on-top of an existing security model,
one could use one of two approaches:
.Bl -dash
.It
Registering an internal scope for the security model to be used as a
fall-back when requests are deferred.
.Pp
This requires the security model developer to add an internal scope for
every scope the model partly covers, and registering the fall-back
listeners to it.
In the model's listener(s) for the scope, when a defer decision is made, the
request is passed to be authorized on the internal scope, effectively using
the fall-back security model.
.Pp
Here's example code that implements the above:
.Bd -literal -offset indent
#include <secmodel/bsd44/bsd44.h>
/*
* Internal fall-back scope for the network scope.
*/
#define JENNA_ISCOPE_NETWORK "jenna.iscope.network"
static kauth_scope_t secmodel_jenna_iscope_network;
/*
* Jenna's entry point. Register internal scope for the network scope
* which we partly cover for fall-back authorization.
*/
void
secmodel_jenna_start(void)
{
secmodel_jenna_iscope_network = kauth_register_scope(
JENNA_ISCOPE_NETWORK, NULL, NULL);
kauth_listen_scope(JENNA_ISCOPE_NETWORK,
secmodel_bsd44_suser_network_cb, NULL);
kauth_listen_scope(JENNA_ISCOPE_NETWORK,
secmodel_bsd44_securelevel_network_cb, NULL);
}
/*
* Jenna sits on top of another model, effectively filtering requests.
* If it has nothing to say, it discards the request. This is a good
* example for fine-tuning a security model for a special need.
*/
int
secmodel_jenna_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
/* Default defer. */
result = KAUTH_RESULT_DEFER;
switch (action) {
case KAUTH_NETWORK_BIND:
/*
* We only care about bind(2) requests to privileged
* ports.
*/
if ((u_long)arg0 == KAUTH_REQ_NETWORK_BIND_PRIVPORT) {
if (kauth_cred_geteuid(cred) < 1000)
result = KAUTH_RESULT_ALLOW;
}
break;
}
/*
* If we have don't have a decision, fall-back to the bsd44
* security model.
*/
if (result == KAUTH_RESULT_DEFER)
result = kauth_authorize_action(
secmodel_jenna_iscope_network, cred, action,
arg0, arg1, arg2, arg3);
return (result);
}
.Ed
.It
If the above is not desired, or cannot be used for any reason, there is
always the ability to manually call the fall-back routine:
.Bd -literal -offset indent
int
secmodel_jenna_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
/* Default defer. */
result = KAUTH_RESULT_DEFER;
switch (action) {
case KAUTH_NETWORK_BIND:
/*
* We only care about bind(2) requests to privileged
* ports.
*/
if ((u_long)arg0 == KAUTH_REQ_NETWORK_BIND_PRIVPORT) {
if (kauth_cred_geteuid(cred) < 1000)
result = KAUTH_RESULT_ALLOW;
}
break;
}
/*
* If we have don't have a decision, fall-back to the bsd44
* security model's suser behavior.
*/
if (result == KAUTH_RESULT_DEFER)
result = secmodel_bsd44_suser_network_cb(cred, action,
cookie, arg0, arg1, arg2, arg3);
return (result);
}
.Ed
.El
.Ss Writing a new security model from scratch
When writing a security model from scratch, aside from the obvious issues of
carefully following the desired policy to be implemented and paying attention
to all of the issues outlined above, one must also remember that any unhandled
requests will be denied by default.
.Pp
To make it easier on developers to write new security models from scratch,
.Nx
maintains skeleton listeners that contain every possible request and
arguments.
.Sh SEE ALSO
.Xr kauth 9 ,
.Sh AUTHOR
.An Elad Efrat Aq elad@NetBSD.org

13
sys/arch/amd64/amd64/netbsd32_machdep.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: netbsd32_machdep.c,v 1.25 2006/08/30 14:01:57 cube Exp $ */
/* $NetBSD: netbsd32_machdep.c,v 1.26 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 2001 Wasabi Systems, Inc.
@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: netbsd32_machdep.c,v 1.25 2006/08/30 14:01:57 cube Exp $");
__KERNEL_RCSID(0, "$NetBSD: netbsd32_machdep.c,v 1.26 2006/09/08 20:58:57 elad Exp $");
#include "opt_compat_netbsd.h"
#include "opt_coredump.h"
@ -616,8 +616,9 @@ x86_64_get_mtrr32(struct lwp *l, void *args, register_t *retval)
if (mtrr_funcs == NULL)
return ENOSYS;
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
/* XXX this looks like a copy/paste error. */
error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86_64,
(void *)KAUTH_REQ_MACHDEP_X86_64_MTRR_GET, NULL, NULL, NULL);
if (error != 0)
return error;
@ -683,8 +684,8 @@ x86_64_set_mtrr32(struct lwp *l, void *args, register_t *retval)
if (mtrr_funcs == NULL)
return ENOSYS;
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_MTRR_SET, NULL, NULL, NULL);
if (error != 0)
return error;

22
sys/arch/amd64/amd64/sys_machdep.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_machdep.c,v 1.7 2006/07/23 22:06:04 ad Exp $ */
/* $NetBSD: sys_machdep.c,v 1.8 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.7 2006/07/23 22:06:04 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.8 2006/09/08 20:58:57 elad Exp $");
#if 0
#include "opt_user_ldt.h"
@ -392,13 +392,10 @@ x86_64_iopl(l, args, retval)
struct trapframe *tf = l->l_md.md_regs;
struct x86_64_iopl_args ua;
if (securelevel > 1)
if (kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_IOPL, NULL, NULL, NULL))
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
return error;
@ -438,13 +435,10 @@ x86_64_set_ioperm(p, args, retval)
struct pcb *pcb = &p->p_addr->u_pcb;
struct x86_64_set_ioperm_args ua;
if (securelevel > 1)
if (kauth_authorize_machdep(p->p_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_IOPERM, NULL, NULL, NULL))
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
return (error);
@ -488,8 +482,8 @@ x86_64_set_mtrr(struct lwp *l, void *args, register_t *retval)
if (mtrr_funcs == NULL)
return ENOSYS;
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_MTRR_SET, NULL, NULL, NULL);
if (error != 0)
return error;

24
sys/arch/i386/i386/sys_machdep.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_machdep.c,v 1.74 2006/07/23 22:06:05 ad Exp $ */
/* $NetBSD: sys_machdep.c,v 1.75 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 1998 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.74 2006/07/23 22:06:05 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.75 2006/09/08 20:58:57 elad Exp $");
#include "opt_compat_netbsd.h"
#include "opt_mtrr.h"
@ -354,11 +354,9 @@ i386_iopl(l, args, retval)
struct trapframe *tf = l->l_md.md_regs;
struct i386_iopl_args ua;
if (securelevel > 1)
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_machdep(l->l_cred,
KAUTH_MACHDEP_X86, (void *)KAUTH_REQ_MACHDEP_X86_IOPL,
NULL, NULL, NULL)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
@ -398,11 +396,9 @@ i386_set_ioperm(l, args, retval)
struct pcb *pcb = &l->l_addr->u_pcb;
struct i386_set_ioperm_args ua;
if (securelevel > 1)
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_machdep(l->l_cred,
KAUTH_MACHDEP_X86, (void *)KAUTH_REQ_MACHDEP_X86_IOPERM,
NULL, NULL, NULL)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
@ -445,8 +441,8 @@ i386_set_mtrr(struct lwp *l, void *args, register_t *retval)
if (mtrr_funcs == NULL)
return ENOSYS;
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_MTRR_SET, NULL, NULL, NULL);
if (error != 0)
return error;

8
sys/arch/news68k/news68k/disksubr.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: disksubr.c,v 1.23 2005/12/11 12:18:23 christos Exp $ */
/* $NetBSD: disksubr.c,v 1.24 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1982, 1986, 1988 Regents of the University of California.
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: disksubr.c,v 1.23 2005/12/11 12:18:23 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: disksubr.c,v 1.24 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -204,7 +204,9 @@ bounds_check_with_label(struct disk *dk, struct buf *bp, int wlabel)
/* overwriting disk label ? */
/* XXX should also protect bootstrap in first 8K */
if (securelevel >= 1 &&
if (kauth_authorize_system(curlwp->l_cred, KAUTH_SYSTEM_RAWIO,
(void *)KAUTH_REQ_SYSTEM_RAWIO_DISK,
(void *)KAUTH_REQ_SYSTEM_RAWIO_READWRITE, NULL, NULL) &&
bp->b_blkno + p->p_offset <= labelsector &&
(bp->b_flags & B_READ) == 0 && wlabel == 0) {
bp->b_error = EROFS;

8
sys/arch/newsmips/newsmips/disksubr.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: disksubr.c,v 1.20 2005/12/11 12:18:25 christos Exp $ */
/* $NetBSD: disksubr.c,v 1.21 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1982, 1986, 1988 Regents of the University of California.
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: disksubr.c,v 1.20 2005/12/11 12:18:25 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: disksubr.c,v 1.21 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -204,7 +204,9 @@ bounds_check_with_label(struct disk *dk, struct buf *bp, int wlabel)
/* overwriting disk label ? */
/* XXX should also protect bootstrap in first 8K */
if (securelevel >= 1 &&
if (kauth_authorize_system(curlwp->l_cred, KAUTH_SYSTEM_RAWIO,
(void *)KAUTH_REQ_SYSTEM_RAWIO_DISK,
(void *)KAUTH_REQ_SYSTEM_RAWIO_READWRITE, NULL, NULL) &&
bp->b_blkno + p->p_offset <= labelsector &&
(bp->b_flags & B_READ) == 0 && wlabel == 0) {
bp->b_error = EROFS;

22
sys/arch/xen/i386/sys_machdep.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_machdep.c,v 1.7 2006/07/23 22:06:08 ad Exp $ */
/* $NetBSD: sys_machdep.c,v 1.8 2006/09/08 20:58:57 elad Exp $ */
/* NetBSD: sys_machdep.c,v 1.70 2003/10/27 14:11:47 junyoung Exp */
/*-
@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.7 2006/07/23 22:06:08 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: sys_machdep.c,v 1.8 2006/09/08 20:58:57 elad Exp $");
#include "opt_compat_netbsd.h"
#include "opt_mtrr.h"
@ -359,13 +359,10 @@ i386_iopl(l, args, retval)
if ((xen_start_info.flags & SIF_PRIVILEGED) == 0)
return EPERM;
if (securelevel > 1)
if (kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_IOPL, NULL, NULL, NULL))
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
return error;
@ -422,13 +419,10 @@ i386_set_ioperm(l, args, retval)
struct pcb *pcb = &l->l_addr->u_pcb;
struct i386_set_ioperm_args ua;
if (securelevel > 1)
if (kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_IOPERM, NULL, NULL, NULL))
return EPERM;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
return error;
if ((error = copyin(args, &ua, sizeof(ua))) != 0)
return (error);
@ -469,8 +463,8 @@ i386_set_mtrr(struct lwp *l, void *args, register_t *retval)
if (mtrr_funcs == NULL)
return ENOSYS;
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86,
(void *)KAUTH_REQ_MACHDEP_X86_MTRR_SET, NULL, NULL, NULL);
if (error != 0)
return error;

8
sys/conf/files
View File

@ -1,4 +1,4 @@
# $NetBSD: files,v 1.810 2006/09/07 14:22:07 itohy Exp $
# $NetBSD: files,v 1.811 2006/09/08 20:58:57 elad Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@ -1210,6 +1210,11 @@ include "ufs/files.ufs"
#
include "uvm/files.uvm"
#
# Security models
#
include "secmodel/files.secmodel"
#
# kernel sources
#
@ -1288,7 +1293,6 @@ file kern/kern_prot.c
file kern/kern_ras.c
file kern/kern_resource.c
file kern/kern_sa.c
file kern/kern_securelevel.c
file kern/kern_sig.c
file kern/kern_systrace.c systrace
file kern/kern_subr.c

7
sys/conf/std
View File

@ -1,4 +1,4 @@
# $NetBSD: std,v 1.6 2006/08/29 23:34:48 matt Exp $
# $NetBSD: std,v 1.7 2006/09/08 20:58:57 elad Exp $
#
# standard MI 'options'
#
@ -13,3 +13,8 @@ options BUFQ_DISKSORT # Traditional min seek sort strategy
options RFC2292 # Previous version of Adv. Sockets API for IPv6
options PTRACE # Include ptrace(2)
options COREDUMP # allow processes to coredump.
#
# Security model.
#
options secmodel_bsd44 # Traditional 4.4BSD security model

12
sys/dist/ipf/netinet/ip_fil_netbsd.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_fil_netbsd.c,v 1.21 2006/08/30 18:50:20 christos Exp $ */
/* $NetBSD: ip_fil_netbsd.c,v 1.22 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@ -38,6 +38,10 @@ static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.38 2006/03/25 13:0
#include <sys/socket.h>
#include <sys/poll.h>
#if (__NetBSD_Version__ >= 399002000)
#include <sys/kauth.h>
#endif
#include <net/if.h>
#include <net/route.h>
#include <netinet/in.h>
@ -517,7 +521,13 @@ int mode;
int error = 0, unit = 0, tmp;
friostat_t fio;
#if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(p->l_cred,
KAUTH_NETWORK_FIREWALL, (void *)KAUTH_REQ_NETWORK_FIREWALL_FW,
NULL, NULL, NULL) != KAUTH_RESULT_ALLOW)
#else
if ((securelevel >= 2) && (mode & FWRITE))
#endif
return EPERM;
unit = GET_MINOR(dev);

11
sys/dist/ipf/netinet/ip_nat.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_nat.c,v 1.12 2006/06/13 02:08:20 christos Exp $ */
/* $NetBSD: ip_nat.c,v 1.13 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (C) 1995-2003 by Darren Reed.
@ -20,6 +20,9 @@
defined(_KERNEL)
# include "opt_ipfilter.h"
#endif
#if (__NetBSD_Version__ >= 399002000)
#include <sys/kauth.h>
#endif
#if !defined(_KERNEL)
# include <stdio.h>
# include <string.h>
@ -621,7 +624,13 @@ int mode;
ipnat_t natd;
#if (BSD >= 199306) && defined(_KERNEL)
#if (__NetBSD_Version__ >= 399002000)
if ((mode & FWRITE) && kauth_authorize_network(curlwp->l_cred,
KAUTH_NETWORK_FIREWALL, (void *)KAUTH_REQ_NETWORK_FIREWALL_NAT,
NULL, NULL, NULL) != KAUTH_RESULT_ALLOW)
#else
if ((securelevel >= 2) && (mode & FWRITE))
#endif
return EPERM;
#endif

7
sys/dist/pf/net/pf_ioctl.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: pf_ioctl.c,v 1.22 2006/09/03 04:53:19 christos Exp $ */
/* $NetBSD: pf_ioctl.c,v 1.23 2006/09/08 20:58:57 elad Exp $ */
/* $OpenBSD: pf_ioctl.c,v 1.139 2005/03/03 07:13:39 dhartmei Exp $ */
/*
@ -66,6 +66,8 @@
#include <sys/malloc.h>
#ifdef __NetBSD__
#include <sys/conf.h>
#include <sys/lwp.h>
#include <sys/kauth.h>
#endif
#include <net/if.h>
@ -1137,7 +1139,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct lwp *l)
int error = 0;
/* XXX keep in sync with switch() below */
if (securelevel > 1)
if (kauth_authorize_network(l->l_cred, KAUTH_NETWORK_FIREWALL,
(void *)KAUTH_REQ_NETWORK_FIREWALL_FW, NULL, NULL, NULL))
switch (cmd) {
case DIOCGETRULES:
case DIOCGETRULE:

8
sys/ipkdb/ipkdb_ipkdb.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipkdb_ipkdb.c,v 1.15 2005/12/24 20:45:09 perry Exp $ */
/* $NetBSD: ipkdb_ipkdb.c,v 1.16 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (C) 1993-2000 Wolfgang Solfrank.
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipkdb_ipkdb.c,v 1.15 2005/12/24 20:45:09 perry Exp $");
__KERNEL_RCSID(0, "$NetBSD: ipkdb_ipkdb.c,v 1.16 2006/09/08 20:58:57 elad Exp $");
#include "opt_ipkdb.h"
@ -41,6 +41,7 @@ __KERNEL_RCSID(0, "$NetBSD: ipkdb_ipkdb.c,v 1.15 2005/12/24 20:45:09 perry Exp $
#include <sys/mbuf.h>
#include <sys/reboot.h>
#include <sys/systm.h>
#include <sys/kauth.h>
#include <net/if.h>
#include <net/if_arp.h>
@ -1138,7 +1139,8 @@ check_ipkdb(ifp, shost, p, l)
char save;
#ifndef IPKDBSECURE
if (securelevel > 0)
if (kauth_authorize_system(curlwp->l_cred, KAUTH_SYSTEM_IPKDB,
NULL, NULL, NULL, NULL) != KAUTH_RESULT_ALLOW)
return 0;
#endif
if (ipkdbcmp(chksum(p, l), p + l, LENCHK))

9
sys/kern/init_main.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: init_main.c,v 1.276 2006/07/26 09:33:57 dogcow Exp $ */
/* $NetBSD: init_main.c,v 1.277 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1991, 1992, 1993
@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.276 2006/07/26 09:33:57 dogcow Exp $");
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.277 2006/09/08 20:58:57 elad Exp $");
#include "opt_ipsec.h"
#include "opt_kcont.h"
@ -169,6 +169,8 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.276 2006/07/26 09:33:57 dogcow Exp $
#include <net/if.h>
#include <net/raw_cb.h>
#include <secmodel/secmodel.h>
extern struct proc proc0;
extern struct lwp lwp0;
extern struct cwdinfo cwdi0;
@ -333,6 +335,9 @@ main(void)
/* Initialize kauth. */
kauth_init();
/* Initialize default security model. */
secmodel_start();
#ifdef FILEASSOC
fileassoc_init();
#endif /* FILEASSOC */

42
sys/kern/init_sysctl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: init_sysctl.c,v 1.82 2006/09/08 11:59:52 manu Exp $ */
/* $NetBSD: init_sysctl.c,v 1.83 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2003 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.82 2006/09/08 11:59:52 manu Exp $");
__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.83 2006/09/08 20:58:57 elad Exp $");
#include "opt_sysv.h"
#include "opt_multiprocessor.h"
@ -98,7 +98,6 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.82 2006/09/08 11:59:52 manu Exp $"
#include <machine/cpu.h>
/* XXX this should not be here */
int security_curtain = 0;
int security_setidcore_dump;
char security_setidcore_path[MAXPATHLEN] = "/var/crash/%n.core";
uid_t security_setidcore_owner = 0;
@ -1075,25 +1074,6 @@ SYSCTL_SETUP(sysctl_debug_setup, "sysctl debug subtree setup")
}
#endif /* DEBUG */
SYSCTL_SETUP(sysctl_security_setup, "sysctl security subtree setup")
{
const struct sysctlnode *rnode = NULL;
sysctl_createv(clog, 0, NULL, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "security", NULL,
NULL, 0, NULL, 0,
CTL_SECURITY, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "curtain",
SYSCTL_DESCR("Curtain information about objects"
" to users not owning them."),
NULL, 0, &security_curtain, 0,
CTL_CREATE, CTL_EOL);
}
/*
* ********************************************************************
* section 2: private node-specific helper routines.
@ -1171,7 +1151,9 @@ sysctl_kern_rtc_offset(SYSCTLFN_ARGS)
if (error || newp == NULL)
return (error);
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_TIME,
KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
(void *)(u_long)new_rtc_offset, NULL, NULL) != KAUTH_RESULT_ALLOW)
return (EPERM);
if (rtc_offset == new_rtc_offset)
return (0);
@ -2400,14 +2382,10 @@ sysctl_kern_proc_args(SYSCTLFN_ARGS)
/* only root or same user change look at the environment */
if (type == KERN_PROC_ENV || type == KERN_PROC_NENV) {
if (kauth_cred_geteuid(l->l_cred) != 0) {
if (kauth_cred_getuid(l->l_cred) !=
kauth_cred_getuid(p->p_cred) ||
kauth_cred_getuid(l->l_cred) !=
kauth_cred_getsvuid(p->p_cred)) {
if (kauth_authorize_process(l->l_cred, KAUTH_PROCESS_CANSEE,
p, NULL, NULL, NULL) != KAUTH_RESULT_ALLOW) {
error = EPERM;
goto out_locked;
}
}
}
@ -2622,7 +2600,8 @@ sysctl_security_setidcore(SYSCTLFN_ARGS)
if (error || newp == NULL)
return error;
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SETIDCORE,
0, NULL, NULL, NULL) != KAUTH_RESULT_ALLOW)
return (EPERM);
*(int *)rnode->sysctl_data = newsize;
@ -2645,7 +2624,8 @@ sysctl_security_setidcorename(SYSCTLFN_ARGS)
if (error || newp == NULL) {
goto out;
}
if (securelevel > 0) {
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SETIDCORE,
0, NULL, NULL, NULL) != KAUTH_RESULT_ALLOW) {
error = EPERM;
goto out;
}

8
sys/kern/kern_acct.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_acct.c,v 1.66 2006/07/23 22:06:10 ad Exp $ */
/* $NetBSD: kern_acct.c,v 1.67 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 1982, 1986, 1989, 1993
@ -71,7 +71,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_acct.c,v 1.66 2006/07/23 22:06:10 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_acct.c,v 1.67 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -299,8 +299,8 @@ sys_acct(struct lwp *l, void *v, register_t *retval)
int error;
/* Make sure that the caller is root. */
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_ACCOUNTING,
0, NULL, NULL, NULL)))
return (error);
/*

149
sys/kern/kern_auth.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_auth.c,v 1.18 2006/09/02 20:10:24 elad Exp $ */
/* $NetBSD: kern_auth.c,v 1.19 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -96,7 +96,10 @@ static struct simplelock scopes_lock;
/* Built-in scopes: generic, process. */
static kauth_scope_t kauth_builtin_scope_generic;
static kauth_scope_t kauth_builtin_scope_system;
static kauth_scope_t kauth_builtin_scope_process;
static kauth_scope_t kauth_builtin_scope_network;
static kauth_scope_t kauth_builtin_scope_machdep;
/* Allocate new, empty kauth credentials. */
kauth_cred_t
@ -374,20 +377,14 @@ kauth_cred_getgroups(kauth_cred_t cred, gid_t *grbuf, size_t len)
}
/*
* Match uids in two credentials. Checks if cred1 can access stuff owned by
* cred2.
* XXX: root bypasses this!
* Match uids in two credentials.
*/
static int
int
kauth_cred_uidmatch(kauth_cred_t cred1, kauth_cred_t cred2)
{
KASSERT(cred1 != NULL);
KASSERT(cred2 != NULL);
/* Are we root? */
if (cred1->cr_euid == 0)
return (1);
if (cred1->cr_uid == cred2->cr_uid ||
cred1->cr_euid == cred2->cr_uid ||
cred1->cr_uid == cred2->cr_euid ||
@ -594,11 +591,23 @@ kauth_init(void)
/* Register generic scope. */
kauth_builtin_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC,
kauth_authorize_cb_generic, NULL);
NULL, NULL);
/* Register system scope. */
kauth_builtin_scope_system = kauth_register_scope(KAUTH_SCOPE_SYSTEM,
NULL, NULL);
/* Register process scope. */
kauth_builtin_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS,
kauth_authorize_cb_process, NULL);
NULL, NULL);
/* Register network scope. */
kauth_builtin_scope_network = kauth_register_scope(KAUTH_SCOPE_NETWORK,
NULL, NULL);
/* Register machdep scope. */
kauth_builtin_scope_machdep = kauth_register_scope(KAUTH_SCOPE_MACHDEP,
NULL, NULL);
}
/*
@ -705,11 +714,6 @@ kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
if (SIMPLEQ_EMPTY(&scope->listenq))
return (0);
/*
* Each scope is associated with at least one listener. We need to
* traverse that list of listeners, as long as they return either
* KAUTH_REQUEST_DEFER or KAUTH_REQUEST_ALLOW.
*/
fail = 0;
allow = 0;
SIMPLEQ_FOREACH(listener, &scope->listenq, listener_next) {
@ -725,49 +729,6 @@ kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
return ((allow && !fail) ? 0 : EPERM);
};
/*
* Generic scope default callback.
*/
int
kauth_authorize_cb_generic(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2,
void *arg3)
{
int error;
error = KAUTH_RESULT_DEFER;
switch (action) {
case KAUTH_GENERIC_ISSUSER:
/* Check if credential belongs to superuser. */
if (cred->cr_euid == 0) {
u_short *acflag = (u_short *)arg0;
if (acflag != NULL)
*acflag |= ASU;
error = KAUTH_RESULT_ALLOW;
} else
error = KAUTH_RESULT_DENY;
break;
case KAUTH_GENERIC_CANSEE:
if (!security_curtain) {
error = KAUTH_RESULT_ALLOW;
} else {
kauth_cred_t cred2 = arg0;
if (kauth_cred_uidmatch(cred, cred2))
error = KAUTH_RESULT_ALLOW;
else
error = KAUTH_RESULT_DENY;
}
break;
}
return (error);
}
/*
* Generic scope authorization wrapper.
*/
@ -779,55 +740,14 @@ kauth_authorize_generic(kauth_cred_t cred, kauth_action_t action, void *arg0)
}
/*
* Process scope default callback.
* System scope authorization wrapper.
*/
int
kauth_authorize_cb_process(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2,
void *arg3)
kauth_authorize_system(kauth_cred_t cred, kauth_action_t action,
enum kauth_system_req req, void *arg1, void *arg2, void *arg3)
{
struct proc *p;
int error;
error = KAUTH_RESULT_DEFER;
p = arg0;
switch (action) {
case KAUTH_PROCESS_CANSIGNAL: {
int signum;
signum = (int)(unsigned long)arg1;
if (kauth_cred_uidmatch(cred, p->p_cred) ||
(signum == SIGCONT && (curproc->p_session == p->p_session)))
error = KAUTH_RESULT_ALLOW;
else
error = KAUTH_RESULT_DEFER;
break;
}
case KAUTH_PROCESS_CANPTRACE:
if (kauth_cred_uidmatch(cred, p->p_cred))
error = KAUTH_RESULT_ALLOW;
else
error = KAUTH_RESULT_DENY;
break;
case KAUTH_PROCESS_CANSEE:
if (!security_curtain) {
error = KAUTH_RESULT_ALLOW;
} else {
if (kauth_cred_uidmatch(cred, p->p_cred))
error = KAUTH_RESULT_ALLOW;
else
error = KAUTH_RESULT_DENY;
/* arg2 - type of information [XXX NOTIMPL] */
}
break;
}
return (error);
return (kauth_authorize_action(kauth_builtin_scope_system, cred,
action, (void *)req, arg1, arg2, arg3));
}
/*
@ -840,3 +760,22 @@ kauth_authorize_process(kauth_cred_t cred, kauth_action_t action,
return (kauth_authorize_action(kauth_builtin_scope_process, cred,
action, p, arg1, arg2, arg3));
}
/*
* Network scope authorization wrapper.
*/
int
kauth_authorize_network(kauth_cred_t cred, kauth_action_t action,
void *arg0, void *arg1, void *arg2, void *arg3)
{
return (kauth_authorize_action(kauth_builtin_scope_network, cred,
action, arg0, arg1, arg2, arg3));
}
int
kauth_authorize_machdep(kauth_cred_t cred, kauth_action_t action,
void *arg0, void *arg1, void *arg2, void *arg3)
{
return (kauth_authorize_action(kauth_builtin_scope_machdep, cred,
action, arg0, arg1, arg2, arg3));
}

23
sys/kern/kern_lkm.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_lkm.c,v 1.91 2006/09/02 06:26:13 christos Exp $ */
/* $NetBSD: kern_lkm.c,v 1.92 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1994 Christopher G. Demetriou
@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_lkm.c,v 1.91 2006/09/02 06:26:13 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_lkm.c,v 1.92 2006/09/08 20:58:57 elad Exp $");
#include "opt_ddb.h"
#include "opt_malloclog.h"
@ -64,6 +64,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_lkm.c,v 1.91 2006/09/02 06:26:13 christos Exp $
#include <sys/ksyms.h>
#include <sys/device.h>
#include <sys/once.h>
#include <sys/kauth.h>
#include <sys/lkm.h>
#include <sys/syscall.h>
@ -343,7 +344,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
switch(cmd) {
case LMRESERV: /* reserve pages for a module */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */
@ -394,7 +396,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
break;
case LMLOADBUF: /* Copy in; stateful, follows LMRESERV */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */
@ -462,7 +465,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
break;
case LMUNRESRV: /* discard reserved pages for a module */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */
@ -478,7 +482,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
break;
case LMREADY: /* module loaded: call entry */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */
@ -567,7 +572,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
break;
case LMUNLOAD: /* unload a module */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */
@ -620,7 +626,8 @@ lkmioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct lwp *l)
#ifdef LMFORCE
case LMFORCE: /* stateful, optionally follows LMRESERV */
if (securelevel > 0)
if (kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_LKM,
0, (void *)cmd, NULL, NULL) != KAUTH_RESULT_ALLOW)
return EPERM;
if ((flag & FWRITE) == 0) /* only allow this if writing */

16
sys/kern/kern_ntptime.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_ntptime.c,v 1.35 2006/07/23 22:06:11 ad Exp $ */
/* $NetBSD: kern_ntptime.c,v 1.36 2006/09/08 20:58:57 elad Exp $ */
#include <sys/types.h> /* XXX to get __HAVE_TIMECOUNTER, remove
after all ports are converted. */
#ifdef __HAVE_TIMECOUNTER
@ -37,7 +37,7 @@
#include <sys/cdefs.h>
/* __FBSDID("$FreeBSD: src/sys/kern/kern_ntptime.c,v 1.59 2005/05/28 14:34:41 rwatson Exp $"); */
__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.35 2006/07/23 22:06:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.36 2006/09/08 20:58:57 elad Exp $");
#include "opt_ntp.h"
#include "opt_compat_netbsd.h"
@ -247,8 +247,9 @@ sys_ntp_adjtime(l, v, retval)
if (error != 0)
return (error);
if (ntv.modes != 0 && (error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if (ntv.modes != 0 && (error = kauth_authorize_network(l->l_cred,
KAUTH_SYSTEM_TIME, (void *)KAUTH_REQ_SYSTEM_TIME_NTPADJTIME, NULL,
NULL, NULL)) != 0)
return (error);
ntp_adjtime1(&ntv);
@ -903,7 +904,7 @@ hardpps(struct timespec *tsp, /* time at PPS */
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.35 2006/07/23 22:06:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_ntptime.c,v 1.36 2006/09/08 20:58:57 elad Exp $");
#include "opt_ntp.h"
#include "opt_compat_netbsd.h"
@ -1016,8 +1017,9 @@ sys_ntp_adjtime(l, v, retval)
if (error != 0)
return (error);
if (ntv.modes != 0 && (error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if (ntv.modes != 0 && (error = kauth_authorize_network(l->l_cred,
KAUTH_SYSTEM_TIME, (void *)KAUTH_REQ_SYSTEM_TIME_NTPADJTIME, NULL,
NULL, NULL)) != 0)
return (error);
ntp_adjtime1(&ntv);

20
sys/kern/kern_prot.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_prot.c,v 1.93 2006/07/30 21:58:11 ad Exp $ */
/* $NetBSD: kern_prot.c,v 1.94 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1990, 1991, 1993
@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_prot.c,v 1.93 2006/07/30 21:58:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_prot.c,v 1.94 2006/09/08 20:58:57 elad Exp $");
#include "opt_compat_43.h"
@ -338,8 +338,8 @@ do_setresuid(struct lwp *l, uid_t r, uid_t e, uid_t sv, u_int flags)
&& !((flags & ID_S_EQ_S) && sv == kauth_cred_getsvuid(cred)))) {
int error;
error = kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_process(cred, KAUTH_PROCESS_SETID,
p, NULL, NULL, NULL);
if (error != 0) {
proc_crmod_leave(p, cred, NULL);
return error;
@ -414,8 +414,8 @@ do_setresgid(struct lwp *l, gid_t r, gid_t e, gid_t sv, u_int flags)
&& !((flags & ID_S_EQ_S) && sv == kauth_cred_getsvgid(cred)))) {
int error;
error = kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_process(cred, KAUTH_PROCESS_SETID,
p, NULL, NULL, NULL);
if (error != 0) {
proc_crmod_leave(p, cred, NULL);
return error;
@ -627,8 +627,8 @@ sys_setgroups(struct lwp *l, void *v, register_t *retval)
proc_crmod_enter(p);
cred = p->p_cred;
if ((error = kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_process(cred, KAUTH_PROCESS_SETID,
p, NULL, NULL, NULL)) != 0)
goto bad;
ngrp = SCARG(uap, gidsetsize);
@ -695,8 +695,8 @@ sys___setlogin(struct lwp *l, void *v, register_t *retval)
char newname[sizeof s->s_login + 1];
int error;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_process(l->l_cred, KAUTH_PROCESS_SETID,
p, NULL, NULL, NULL)) != 0)
return (error);
error = copyinstr(SCARG(uap, namebuf), &newname, sizeof newname, NULL);
if (error != 0)

25
sys/kern/kern_resource.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_resource.c,v 1.103 2006/07/30 17:38:19 elad Exp $ */
/* $NetBSD: kern_resource.c,v 1.104 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 1982, 1986, 1991, 1993
@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.103 2006/07/30 17:38:19 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_resource.c,v 1.104 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -206,8 +206,9 @@ donice(struct lwp *l, struct proc *chgp, int n)
if (n < PRIO_MIN)
n = PRIO_MIN;
n += NZERO;
if (n < chgp->p_nice && kauth_authorize_generic(cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag))
if (n < chgp->p_nice && kauth_authorize_process(cred,
KAUTH_PROCESS_RESOURCE, chgp, (void *)KAUTH_REQ_PROCESS_RESOURCE_NICE,
(void *)(u_long)n, NULL))
return (EACCES);
chgp->p_nice = n;
SCHED_LOCK(s);
@ -261,8 +262,9 @@ dosetrlimit(struct lwp *l, struct proc *p, int which, struct rlimit *limp)
return (EINVAL);
}
if (limp->rlim_max > alimp->rlim_max && (error =
kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
kauth_authorize_process(l->l_cred, KAUTH_PROCESS_RESOURCE,
p, (void *)KAUTH_REQ_PROCESS_RESOURCE_RLIMIT, limp,
(void *)(u_long)which)) != KAUTH_RESULT_ALLOW)
return (error);
if (p->p_limit->p_refcnt > 1 &&
@ -572,6 +574,8 @@ sysctl_proc_findproc(struct lwp *l, struct proc **p2, pid_t pid)
else if ((ptmp = pfind(pid)) == NULL)
error = ESRCH;
else {
boolean_t isroot = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, NULL);
/*
* suid proc of ours or proc not ours
*/
@ -579,16 +583,14 @@ sysctl_proc_findproc(struct lwp *l, struct proc **p2, pid_t pid)
kauth_cred_getuid(ptmp->p_cred) ||
kauth_cred_getuid(l->l_cred) !=
kauth_cred_getsvuid(ptmp->p_cred))
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = isroot ? 0 : EPERM;
/*
* sgid proc has sgid back to us temporarily
*/
else if (kauth_cred_getgid(ptmp->p_cred) !=
kauth_cred_getsvgid(ptmp->p_cred))
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = isroot ? 0 : EPERM;
/*
* our rgid must be in target's group list (ie,
@ -600,8 +602,7 @@ sysctl_proc_findproc(struct lwp *l, struct proc **p2, pid_t pid)
if (kauth_cred_ismember_gid(l->l_cred,
kauth_cred_getgid(ptmp->p_cred), &ismember) != 0 ||
!ismember) {
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = isroot ? 0 : EPERM;
}
}
}

39
sys/kern/kern_sysctl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_sysctl.c,v 1.201 2006/09/02 06:33:11 christos Exp $ */
/* $NetBSD: kern_sysctl.c,v 1.202 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2003 The NetBSD Foundation, Inc.
@ -75,7 +75,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_sysctl.c,v 1.201 2006/09/02 06:33:11 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_sysctl.c,v 1.202 2006/09/08 20:58:57 elad Exp $");
#include "opt_defcorename.h"
#include "ksyms.h"
@ -523,8 +523,9 @@ sysctl_locate(struct lwp *l, const int *name, u_int namelen,
* can anyone traverse this node or only root?
*/
if (l != NULL && (pnode->sysctl_flags & CTLFLAG_PRIVATE) &&
(error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
(error = kauth_authorize_system(l->l_cred,
KAUTH_SYSTEM_SYSCTL, KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
NULL, NULL, NULL)) != 0)
return (error);
/*
* find a child node with the right number
@ -713,10 +714,8 @@ sysctl_create(SYSCTLFN_ARGS)
*/
if (l != NULL) {
#ifndef SYSCTL_DISALLOW_CREATE
if (securelevel > 0)
return (EPERM);
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SYSCTL,
KAUTH_REQ_SYSTEM_SYSCTL_ADD, NULL, NULL, NULL);
if (error)
return (error);
if (!(rnode->sysctl_flags & CTLFLAG_READWRITE))
@ -1248,10 +1247,8 @@ sysctl_destroy(SYSCTLFN_ARGS)
*/
if (l != NULL) {
#ifndef SYSCTL_DISALLOW_CREATE
if (securelevel > 0)
return (EPERM);
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SYSCTL,
KAUTH_REQ_SYSTEM_SYSCTL_DELETE, NULL, NULL, NULL);
if (error)
return (error);
if (!(rnode->sysctl_flags & CTLFLAG_READWRITE))
@ -1417,8 +1414,8 @@ sysctl_lookup(SYSCTLFN_ARGS)
* some nodes are private, so only root can look into them.
*/
if (l != NULL && (rnode->sysctl_flags & CTLFLAG_PRIVATE) &&
(error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
(error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SYSCTL,
KAUTH_REQ_SYSTEM_SYSCTL_PRVT, NULL, NULL, NULL)) != 0)
return (error);
/*
@ -1655,12 +1652,10 @@ sysctl_describe(SYSCTLFN_ARGS)
*/
if (l != NULL) {
#ifndef SYSCTL_DISALLOW_CREATE
if (securelevel > 0) {
error = EPERM;
goto out;
}
error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag);
error = kauth_authorize_system(l->l_cred,
KAUTH_SYSTEM_SYSCTL,
KAUTH_REQ_SYSTEM_SYSCTL_DESC, NULL,
NULL, NULL);
if (error)
goto out;
#else /* SYSCTL_DISALLOW_CREATE */
@ -1789,8 +1784,8 @@ sysctl_describe(SYSCTLFN_ARGS)
* don't describe "private" nodes to non-suser users
*/
if ((node[i].sysctl_flags & CTLFLAG_PRIVATE) && (l != NULL) &&
!(kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)))
!(kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SYSCTL,
KAUTH_REQ_SYSTEM_SYSCTL_PRVT, NULL, NULL, NULL)))
continue;
/*

20
sys/kern/kern_time.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_time.c,v 1.105 2006/07/23 22:06:11 ad Exp $ */
/* $NetBSD: kern_time.c,v 1.106 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2000, 2004, 2005 The NetBSD Foundation, Inc.
@ -68,7 +68,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.105 2006/07/23 22:06:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_time.c,v 1.106 2006/09/08 20:58:57 elad Exp $");
#include "fs_nfs.h"
#include "opt_nfs.h"
@ -167,7 +167,9 @@ settime(struct proc *p, struct timespec *ts)
#else /* !__HAVE_TIMECOUNTER */
timersub(&tv, &time, &delta);
#endif /* !__HAVE_TIMECOUNTER */
if ((delta.tv_sec < 0 || delta.tv_usec < 0) && securelevel > 1) {
if ((delta.tv_sec < 0 || delta.tv_usec < 0) &&
kauth_authorize_system(p->p_cred, KAUTH_SYSTEM_TIME,
KAUTH_REQ_SYSTEM_TIME_BACKWARDS, NULL, NULL, NULL)) {
splx(s);
return (EPERM);
}
@ -253,8 +255,8 @@ sys_clock_settime(struct lwp *l, void *v, register_t *retval)
} */ *uap = v;
int error;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_TIME,
KAUTH_REQ_SYSTEM_TIME_SYSTEM, NULL, NULL, NULL)) != 0)
return (error);
return clock_settime1(l->l_proc, SCARG(uap, clock_id), SCARG(uap, tp));
@ -469,8 +471,8 @@ sys_settimeofday(struct lwp *l, void *v, register_t *retval)
} */ *uap = v;
int error;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_TIME,
KAUTH_REQ_SYSTEM_TIME_SYSTEM, NULL, NULL, NULL)) != 0)
return (error);
return settimeofday1(SCARG(uap, tv), SCARG(uap, tzp), l->l_proc);
@ -520,8 +522,8 @@ sys_adjtime(struct lwp *l, void *v, register_t *retval)
} */ *uap = v;
int error;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_TIME,
KAUTH_REQ_SYSTEM_TIME_ADJTIME, NULL, NULL, NULL)) != 0)
return (error);
return adjtime1(SCARG(uap, delta), SCARG(uap, olddelta), l->l_proc);

8
sys/kern/kern_xxx.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: kern_xxx.c,v 1.59 2006/07/23 22:06:11 ad Exp $ */
/* $NetBSD: kern_xxx.c,v 1.60 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: kern_xxx.c,v 1.59 2006/07/23 22:06:11 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: kern_xxx.c,v 1.60 2006/09/08 20:58:57 elad Exp $");
#include "opt_syscall_debug.h"
@ -59,8 +59,8 @@ sys_reboot(struct lwp *l, void *v, register_t *retval)
int error;
char *bootstr, bs[128];
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_REBOOT,
0, NULL, NULL, NULL)) != 0)
return (error);
/*

32
sys/kern/vfs_syscalls.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: vfs_syscalls.c,v 1.267 2006/08/08 13:08:08 yamt Exp $ */
/* $NetBSD: vfs_syscalls.c,v 1.268 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1989, 1993
@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.267 2006/08/08 13:08:08 yamt Exp $");
__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.268 2006/09/08 20:58:57 elad Exp $");
#include "opt_compat_netbsd.h"
#include "opt_compat_43.h"
@ -1019,8 +1019,8 @@ sys_fchroot(struct lwp *l, void *v, register_t *retval)
struct file *fp;
int error;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_CHROOT,
KAUTH_REQ_SYSTEM_CHROOT_FCHROOT, NULL, NULL, NULL)) != 0)
return error;
/* getvnode() will use the descriptor for us */
if ((error = getvnode(fdp, SCARG(uap, fd), &fp)) != 0)
@ -1099,8 +1099,8 @@ sys_chroot(struct lwp *l, void *v, register_t *retval)
int error;
struct nameidata nd;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_CHROOT,
KAUTH_REQ_SYSTEM_CHROOT_CHROOT, NULL, NULL, NULL)) != 0)
return (error);
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
SCARG(uap, path), l);
@ -1435,8 +1435,8 @@ sys___getfh30(struct lwp *l, void *v, register_t *retval)
/*
* Must be super user
*/
error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag);
error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FILEHANDLE,
0, NULL, NULL, NULL);
if (error)
return (error);
NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF, UIO_USERSPACE,
@ -1495,8 +1495,8 @@ dofhopen(struct lwp *l, const void *ufhp, size_t fhsize, int oflags,
/*
* Must be super user
*/
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)))
error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FILEHANDLE,
0, NULL, NULL, NULL);
return (error);
flags = FFLAGS(oflags);
@ -1630,8 +1630,8 @@ dofhstat(struct lwp *l, const void *ufhp, size_t fhsize, struct stat *sbp,
/*
* Must be super user
*/
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FILEHANDLE,
0, NULL, NULL, NULL)) != KAUTH_RESULT_ALLOW)
return (error);
error = vfs_copyinfh_alloc(ufhp, fhsize, &fh);
@ -1681,8 +1681,8 @@ dofhstatvfs(struct lwp *l, const void *ufhp, size_t fhsize, struct statvfs *buf,
/*
* Must be super user
*/
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_FILEHANDLE,
0, NULL, NULL, NULL)) != KAUTH_RESULT_ALLOW)
return error;
error = vfs_copyinfh_alloc(ufhp, fhsize, &fh);
@ -1744,8 +1744,8 @@ sys_mknod(struct lwp *l, void *v, register_t *retval)
int whiteout = 0;
struct nameidata nd;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)) != 0)
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_MKNOD,
0, NULL, NULL, NULL)) != 0)
return (error);
restart:
NDINIT(&nd, CREATE, LOCKPARENT, UIO_USERSPACE, SCARG(uap, path), l);

78
sys/miscfs/specfs/spec_vnops.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: spec_vnops.c,v 1.88 2006/08/11 19:17:47 christos Exp $ */
/* $NetBSD: spec_vnops.c,v 1.89 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1989, 1993
@ -36,7 +36,7 @@
#endif
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.88 2006/08/11 19:17:47 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.89 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/proc.h>
@ -193,36 +193,45 @@ spec_open(v)
if (vp->v_mount && (vp->v_mount->mnt_flag & MNT_NODEV))
return (ENXIO);
#define M2K(m) (((m) & FREAD) && ((m) & FWRITE) ? KAUTH_REQ_SYSTEM_RAWIO_RW : \
(m) & FWRITE ? KAUTH_REQ_SYSTEM_RAWIO_WRITE : \
KAUTH_REQ_SYSTEM_RAWIO_READ)
switch (vp->v_type) {
case VCHR:
cdev = cdevsw_lookup(dev);
if (cdev == NULL)
return (ENXIO);
if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
/*
* When running in very secure mode, do not allow
* opens for writing of any disk character devices.
*/
if (securelevel >= 2 && cdev->d_type == D_DISK)
return (EPERM);
/*
* When running in secure mode, do not allow opens
* for writing of /dev/mem, /dev/kmem, or character
* devices whose corresponding block devices are
* currently mounted.
*/
if (ap->a_cred != FSCRED) {
u_long rw;
rw = M2K(ap->a_mode);
error = 0;
bvp = NULL;
if (securelevel >= 1) {
/* XXX we're holding a vnode lock here */
if (iskmemdev(dev)) {
error = kauth_authorize_system(ap->a_cred,
KAUTH_SYSTEM_RAWIO,
KAUTH_REQ_SYSTEM_RAWIO_MEMORY,
(void *)rw, NULL, NULL);
} else {
blkdev = devsw_chr2blk(dev);
if (blkdev != (dev_t)NODEV &&
vfinddev(blkdev, VBLK, &bvp) &&
(error = vfs_mountedon(bvp)))
return (error);
if (iskmemdev(dev))
return (EPERM);
if (blkdev != (dev_t)NODEV) {
vfinddev(blkdev, VBLK, &bvp);
error = kauth_authorize_system(ap->a_cred,
KAUTH_SYSTEM_RAWIO,
KAUTH_REQ_SYSTEM_RAWIO_DISK,
(void *)rw, vp, (void *)(u_long)dev);
if (error) printf("nope.\n");
}
}
if (error)
return (error);
#if NVERIEXEC > 0
if (veriexec_strict >= VERIEXEC_IPS && iskmemdev(dev))
return (error);
@ -231,6 +240,7 @@ spec_open(v)
return (error);
#endif /* NVERIEXEC > 0 */
}
if (cdev->d_type == D_TTY)
vp->v_flag |= VISTTY;
VOP_UNLOCK(vp, 0);
@ -245,19 +255,23 @@ spec_open(v)
bdev = bdevsw_lookup(dev);
if (bdev == NULL)
return (ENXIO);
/*
* When running in very secure mode, do not allow
* opens for writing of any disk block devices.
*/
if (securelevel >= 2 && ap->a_cred != FSCRED &&
(ap->a_mode & FWRITE) && bdev->d_type == D_DISK)
return (EPERM);
/*
* Do not allow opens of block devices that are
* currently mounted.
*/
if ((error = vfs_mountedon(vp)) != 0)
return (error);
if (ap->a_cred != FSCRED) {
u_long rw;
rw = M2K(ap->a_mode);
error = kauth_authorize_system(ap->a_cred,
KAUTH_SYSTEM_RAWIO,
KAUTH_REQ_SYSTEM_RAWIO_DISK,
(void *)rw, vp, (void *)(u_long)dev);
if (error)
return (error);
}
#if NVERIEXEC > 0
error = veriexec_rawchk(vp);
@ -280,6 +294,8 @@ spec_open(v)
return 0;
}
#undef M2K
if (error)
return error;
if (!(*d_ioctl)(vp->v_rdev, DIOCGPART, (caddr_t)&pi, FREAD, curlwp))

45
sys/miscfs/umapfs/umap_vnops.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: umap_vnops.c,v 1.39 2006/05/14 21:32:21 elad Exp $ */
/* $NetBSD: umap_vnops.c,v 1.40 2006/09/08 20:58:57 elad Exp $ */
/*
* Copyright (c) 1992, 1993
@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: umap_vnops.c,v 1.39 2006/05/14 21:32:21 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: umap_vnops.c,v 1.40 2006/09/08 20:58:57 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -193,7 +193,8 @@ umap_bypass(v)
credp = *credpp;
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(credp) != 0)
kauth_authorize_generic(credp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: user was %d, group %d\n",
kauth_cred_geteuid(credp), kauth_cred_getegid(credp));
@ -202,7 +203,8 @@ umap_bypass(v)
umap_mapids(vp0->v_mount, credp);
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(credp) != 0)
kauth_authorize_generic(credp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: user now %d, group %d\n",
kauth_cred_geteuid(credp), kauth_cred_getegid(credp));
}
@ -222,7 +224,8 @@ umap_bypass(v)
compcredp = (*compnamepp)->cn_cred;
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: component credit user was %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));
@ -231,7 +234,8 @@ umap_bypass(v)
umap_mapids(vp0->v_mount, compcredp);
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: component credit user now %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));
}
@ -307,7 +311,8 @@ umap_bypass(v)
kauth_cred_free(credp);
*credpp = savecredp;
if ((flags & LAYERFS_MBYPASSDEBUG) && credpp &&
kauth_cred_geteuid((*credpp)) != 0)
kauth_authorize_generic(*credpp,
KAUTH_GENERIC_ISSUSER,NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: returning-user now %d\n\n",
kauth_cred_geteuid(savecredp));
}
@ -315,7 +320,8 @@ umap_bypass(v)
if (descp->vdesc_componentname_offset != VDESC_NO_OFFSET) {
if ((flags & LAYERFS_MBYPASSDEBUG) && compcredp &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: returning-component-user was %d\n",
kauth_cred_geteuid(compcredp));
@ -323,7 +329,8 @@ umap_bypass(v)
kauth_cred_free(compcredp);
(*compnamepp)->cn_cred = savecompcredp;
if ((flags & LAYERFS_MBYPASSDEBUG) && savecompcredp &&
kauth_cred_geteuid(savecompcredp) != 0)
kauth_authorize_generic(savecompcredp,
KAUTH_GENERIC_ISSUSER, NULL) != KAUTH_RESULT_ALLOW)
printf("umap_bypass: returning-component-user now %d\n",
kauth_cred_geteuid(savecompcredp));
}
@ -378,7 +385,9 @@ umap_lookup(v)
compcredp = kauth_cred_dup(savecompcredp);
cnp->cn_cred = compcredp;
if ((flags & LAYERFS_MBYPASSDEBUG) && kauth_cred_geteuid(compcredp) != 0)
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_lookup: component credit user was %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));
@ -386,7 +395,9 @@ umap_lookup(v)
umap_mapids(mp, compcredp);
}
if ((flags & LAYERFS_MBYPASSDEBUG) && compcredp && kauth_cred_geteuid(compcredp) != 0)
if ((flags & LAYERFS_MBYPASSDEBUG) && compcredp &&
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_lookup: component credit user now %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));
@ -423,7 +434,8 @@ umap_lookup(v)
* Free duplicate cred structure and restore old one.
*/
if ((flags & LAYERFS_MBYPASSDEBUG) && compcredp &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_lookup: returning-component-user was %d\n",
kauth_cred_geteuid(compcredp));
@ -432,7 +444,8 @@ umap_lookup(v)
kauth_cred_free(compcredp);
cnp->cn_cred = savecompcredp;
if ((flags & LAYERFS_MBYPASSDEBUG) && savecompcredp &&
kauth_cred_geteuid(savecompcredp) != 0)
kauth_authorize_generic(savecompcredp,
KAUTH_GENERIC_ISSUSER, NULL) != KAUTH_RESULT_ALLOW)
printf("umap_lookup: returning-component-user now %d\n",
kauth_cred_geteuid(savecompcredp));
}
@ -564,7 +577,8 @@ umap_rename(v)
compcredp = compnamep->cn_cred = kauth_cred_dup(savecompcredp);
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_rename: rename component credit user was %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));
@ -573,7 +587,8 @@ umap_rename(v)
umap_mapids(vp->v_mount, compcredp);
if ((flags & LAYERFS_MBYPASSDEBUG) &&
kauth_cred_geteuid(compcredp) != 0)
kauth_authorize_generic(compcredp, KAUTH_GENERIC_ISSUSER,
NULL) != KAUTH_RESULT_ALLOW)
printf("umap_rename: rename component credit user now %d, group %d\n",
kauth_cred_geteuid(compcredp), kauth_cred_getegid(compcredp));

9
sys/net/rtsock.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: rtsock.c,v 1.87 2006/09/03 05:08:18 christos Exp $ */
/* $NetBSD: rtsock.c,v 1.88 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.87 2006/09/03 05:08:18 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.88 2006/09/08 20:58:58 elad Exp $");
#include "opt_inet.h"
@ -260,9 +260,8 @@ route_output(struct mbuf *m, ...)
* Verify that the caller has the appropriate privilege; RTM_GET
* is the only operation the non-superuser is allowed.
*/
if (rtm->rtm_type != RTM_GET &&
kauth_authorize_generic(curlwp->l_cred, KAUTH_GENERIC_ISSUSER,
&curlwp->l_acflag) != 0)
if (kauth_authorize_network(curlwp->l_cred, KAUTH_NETWORK_ROUTE,
rtm, NULL, NULL, NULL) != 0)
senderr(EACCES);
switch (rtm->rtm_type) {

18
sys/netinet/in_pcb.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: in_pcb.c,v 1.103 2006/07/23 22:06:13 ad Exp $ */
/* $NetBSD: in_pcb.c,v 1.104 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.103 2006/07/23 22:06:13 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.104 2006/09/08 20:58:58 elad Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@ -218,7 +218,7 @@ in_pcbbind(void *v, struct mbuf *nam, struct lwp *l)
struct inpcb *inp = v;
struct socket *so = inp->inp_socket;
struct inpcbtable *table = inp->inp_table;
struct sockaddr_in *sin;
struct sockaddr_in *sin = NULL; /* XXXGCC */
u_int16_t lport = 0;
int wild = 0, reuseport = (so->so_options & SO_REUSEPORT);
@ -267,8 +267,10 @@ in_pcbbind(void *v, struct mbuf *nam, struct lwp *l)
#ifndef IPNOPRIVPORTS
/* GROSS */
if (ntohs(lport) < IPPORT_RESERVED &&
(l == 0 || kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag)))
(l == 0 || kauth_authorize_network(l->l_cred,
KAUTH_NETWORK_BIND,
(void *)KAUTH_REQ_NETWORK_BIND_PRIVPORT, so, sin,
NULL)))
return (EACCES);
#endif
#ifdef INET6
@ -309,8 +311,10 @@ noname:
if (inp->inp_flags & INP_LOWPORT) {
#ifndef IPNOPRIVPORTS
if (l == 0 || kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag))
if (l == 0 || kauth_authorize_network(l->l_cred,
KAUTH_NETWORK_BIND,
(void *)KAUTH_REQ_NETWORK_BIND_PRIVPORT, so,
sin, NULL))
return (EACCES);
#endif
mymin = lowportmin;

8
sys/netinet/ip_input.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_input.c,v 1.229 2006/08/30 18:55:09 christos Exp $ */
/* $NetBSD: ip_input.c,v 1.230 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -98,7 +98,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.229 2006/08/30 18:55:09 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.230 2006/09/08 20:58:58 elad Exp $");
#include "opt_inet.h"
#include "opt_gateway.h"
@ -121,6 +121,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.229 2006/08/30 18:55:09 christos Exp
#include <sys/kernel.h>
#include <sys/pool.h>
#include <sys/sysctl.h>
#include <sys/kauth.h>
#include <net/if.h>
#include <net/if_dl.h>
@ -2111,7 +2112,8 @@ sysctl_net_inet_ip_forwsrcrt(SYSCTLFN_ARGS)
if (error || newp == NULL)
return (error);
if (securelevel > 0)
if (kauth_authorize_network(l->l_cred, KAUTH_NETWORK_FORWSRCRT,
NULL, NULL, NULL, NULL) != KAUTH_RESULT_ALLOW)
return (EPERM);
ip_forwsrcrt = tmp;

10
sys/netinet/raw_ip.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: raw_ip.c,v 1.90 2006/07/23 22:06:13 ad Exp $ */
/* $NetBSD: raw_ip.c,v 1.91 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.90 2006/07/23 22:06:13 ad Exp $");
__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.91 2006/09/08 20:58:58 elad Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@ -541,8 +541,10 @@ rip_usrreq(struct socket *so, int req,
error = EISCONN;
break;
}
if (l == 0 || (error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, &l->l_acflag))) {
if (l == 0 || (error = kauth_authorize_network(l->l_cred,
KAUTH_NETWORK_SOCKET,
(void *)KAUTH_REQ_NETWORK_SOCKET_RAWSOCK, so, NULL,
NULL))) {
error = EACCES;
break;
}

16
sys/netinet/tcp_usrreq.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: tcp_usrreq.c,v 1.120 2006/09/05 00:29:36 rpaulo Exp $ */
/* $NetBSD: tcp_usrreq.c,v 1.121 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -102,7 +102,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.120 2006/09/05 00:29:36 rpaulo Exp $");
__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.121 2006/09/08 20:58:58 elad Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@ -1257,11 +1257,13 @@ sysctl_inpcblist(SYSCTLFN_ARGS)
if (inph->inph_af != pf)
continue;
/* XXX elad - should be done better */
if (security_curtain &&
(kauth_cred_geteuid(l->l_cred) != 0) &&
(kauth_cred_geteuid(l->l_cred) !=
inph->inph_socket->so_uidinfo->ui_uid))
#ifdef notyet
if (kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_CANSEE,
inph->inph_socket->so_cred) != KAUTH_RESULT_ALLOW)
#endif
if (kauth_cred_geteuid(l->l_cred) != 0 &&
kauth_cred_geteuid(l->l_cred) !=
inph->inph_socket->so_uidinfo->ui_uid)
continue;
memset(&pcb, 0, sizeof(pcb));

38
sys/secmodel/bsd44/bsd44.h Normal file
View File

@ -0,0 +1,38 @@
/* $NetBSD: bsd44.h,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SECMODEL_BSD44_BSD44_H_
#define _SECMODEL_BSD44_BSD44_H_
void secmodel_bsd44_init(void);
void secmodel_bsd44_start(void);
#endif /* !_SECMODEL_BSD44_BSD44_H_ */

9
sys/secmodel/bsd44/files.bsd44 Normal file
View File

@ -0,0 +1,9 @@
# $NetBSD: files.bsd44,v 1.1 2006/09/08 20:58:57 elad Exp $
defflag secmodel_bsd44_logic
defflag secmodel_bsd44 : secmodel_bsd44_logic
file secmodel/bsd44/secmodel_bsd44.c secmodel_bsd44
file secmodel/bsd44/secmodel_bsd44_logic.c secmodel_bsd44_logic
file secmodel/bsd44/secmodel_bsd44_suser.c secmodel_bsd44_logic
file secmodel/bsd44/secmodel_bsd44_securelevel.c secmodel_bsd44_logic

101
sys/secmodel/bsd44/secmodel_bsd44.c Normal file
View File

@ -0,0 +1,101 @@
/* $NetBSD: secmodel_bsd44.c,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/sysctl.h>
#include <secmodel/secmodel.h>
#include <secmodel/bsd44/bsd44.h>
#include <secmodel/bsd44/suser.h>
#include <secmodel/bsd44/securelevel.h>
SYSCTL_SETUP(sysctl_security_bsd44_setup,
"sysctl security bsd44 setup")
{
const struct sysctlnode *rnode;
sysctl_createv(clog, 0, NULL, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "security", NULL,
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "models", NULL,
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "bsd44",
SYSCTL_DESCR("Traditional NetBSD Security model, " \
"derived from 4.4BSD"),
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_STRING, "name", NULL,
NULL, 0, __UNCONST("Traditional NetBSD (4.4BSD)"), 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "securelevel",
SYSCTL_DESCR("System security level"),
secmodel_bsd44_sysctl_securelevel, 0, &securelevel, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "curtain",
SYSCTL_DESCR("Curtain information about objects to "
"users not owning them."),
NULL, 0, &secmodel_bsd44_curtain, 0,
CTL_CREATE, CTL_EOL);
}
/*
* Start the traditional NetBSD security model.
*/
void
secmodel_start(void)
{
secmodel_bsd44_init();
secmodel_bsd44_suser_start();
secmodel_bsd44_securelevel_start();
}

52
sys/secmodel/bsd44/secmodel_bsd44_logic.c Normal file
View File

@ -0,0 +1,52 @@
/* $NetBSD: secmodel_bsd44_logic.c,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/sysctl.h>
#include <secmodel/bsd44/bsd44.h>
#include <secmodel/bsd44/suser.h>
#include <secmodel/bsd44/securelevel.h>
int secmodel_bsd44_curtain;
/*
* Initialize the traditional NetBSD security model.
*/
void
secmodel_bsd44_init(void)
{
secmodel_bsd44_securelevel_init();
secmodel_bsd44_curtain = 0;
}

422
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c Normal file
View File

@ -0,0 +1,422 @@
/* $NetBSD: secmodel_bsd44_securelevel.c,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This file contains kauth(9) listeners needed to implement the traditional
* NetBSD securelevel.
*
* The securelevel is a system-global indication on what operations are
* allowed or not. It affects all users, including root.
*/
#ifdef _KERNEL_OPT
#include "opt_insecure.h"
#endif /* _KERNEL_OPT */
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/conf.h>
#include <sys/mount.h>
#include <sys/sysctl.h>
#include <sys/vnode.h>
#include <secmodel/bsd44/securelevel.h>
/*
* XXX after we remove all securelevel references from the kernel,
* XXX this goes static.
*/
int securelevel;
/*
* sysctl helper routine for securelevel. ensures that the value
* only rises unless the caller has pid 1 (assumed to be init).
*/
int
secmodel_bsd44_sysctl_securelevel(SYSCTLFN_ARGS)
{
int newsecurelevel, error;
struct sysctlnode node;
newsecurelevel = securelevel;
node = *rnode;
node.sysctl_data = &newsecurelevel;
error = sysctl_lookup(SYSCTLFN_CALL(&node));
if (error || newp == NULL)
return (error);
if (newsecurelevel < securelevel && l && l->l_proc->p_pid != 1)
return (EPERM);
securelevel = newsecurelevel;
return (error);
}
void
secmodel_bsd44_securelevel_init(void)
{
#ifdef INSECURE
securelevel = -1;
#else
securelevel = 0;
#endif /* INSECURE */
}
SYSCTL_SETUP(sysctl_secmodel_bsd44_securelevel_setup,
"sysctl secmodel bsd44 securelevel setup")
{
/*
* For compatibility, we create a kern.securelevel variable.
*/
sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "kern", NULL,
NULL, 0, NULL, 0,
CTL_KERN, CTL_EOL);
sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "securelevel",
SYSCTL_DESCR("System security level"),
secmodel_bsd44_sysctl_securelevel, 0, &securelevel, 0,
CTL_KERN, KERN_SECURELVL, CTL_EOL);
}
void
secmodel_bsd44_securelevel_start(void)
{
kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
secmodel_bsd44_securelevel_system_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_PROCESS,
secmodel_bsd44_securelevel_process_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_NETWORK,
secmodel_bsd44_securelevel_network_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
secmodel_bsd44_securelevel_machdep_cb, NULL);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: System
* Responsibility: Securelevel
*/
int
secmodel_bsd44_securelevel_system_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_SYSTEM_RAWIO: {
u_int rw;
rw = (u_int)(u_long)arg1;
switch ((u_long)arg0) {
case KAUTH_REQ_SYSTEM_RAWIO_MEMORY: {
switch (rw) {
case KAUTH_REQ_SYSTEM_RAWIO_READ:
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_REQ_SYSTEM_RAWIO_WRITE:
case KAUTH_REQ_SYSTEM_RAWIO_RW:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
}
case KAUTH_REQ_SYSTEM_RAWIO_DISK: {
struct vnode *vp = arg2;
dev_t dev = (dev_t)(u_long)arg3;
if (vp == NULL || dev == 0)
break;
switch (vp->v_type) {
case VCHR: {
const struct cdevsw *cdev;
struct vnode *bvp;
switch (rw) {
case KAUTH_REQ_SYSTEM_RAWIO_READ:
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_REQ_SYSTEM_RAWIO_WRITE:
case KAUTH_REQ_SYSTEM_RAWIO_RW:
cdev = cdevsw_lookup(dev);
if (cdev == NULL)
break;
if (cdev->d_type == D_DISK &&
securelevel > 1)
break;
bvp = NULL;
vfinddev(devsw_chr2blk(dev), VBLK, &bvp);
if (bvp != NULL) {
if (vfs_mountedon(bvp) &&
securelevel > 0)
break;
}
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
}
case VBLK: {
const struct bdevsw *bdev;
if (vfs_mountedon(vp))
break;
bdev = bdevsw_lookup(dev);
if (bdev == NULL)
break;
if (bdev->d_type == D_DISK &&
rw != KAUTH_REQ_SYSTEM_RAWIO_READ &&
securelevel > 1)
break;
result = KAUTH_RESULT_ALLOW;
break;
}
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
}
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
}
case KAUTH_SYSTEM_TIME:
switch ((u_long)arg0) {
case KAUTH_REQ_SYSTEM_TIME_BACKWARDS:
if (securelevel < 2)
result = KAUTH_RESULT_ALLOW;
case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_SYSTEM_LKM:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_SYSTEM_SYSCTL:
switch ((u_long)arg0) {
case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_SYSTEM_SETIDCORE:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_SYSTEM_DEBUG:
switch ((u_long)arg0) {
case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Process
* Responsibility: Securelevel
*/
int
secmodel_bsd44_securelevel_process_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_PROCESS_CORENAME:
if (securelevel < 2)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Network
* Responsibility: Securelevel
*/
int
secmodel_bsd44_securelevel_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_NETWORK_FIREWALL:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_FIREWALL_FW:
case KAUTH_REQ_NETWORK_FIREWALL_NAT:
if (securelevel < 2)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_NETWORK_FORWSRCRT:
if (securelevel < 1)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Machdep
* Responsibility: Securelevel
*/
int
secmodel_bsd44_securelevel_machdep_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_MACHDEP_X86:
switch ((u_long)arg0) {
case KAUTH_REQ_MACHDEP_X86_IOPL:
case KAUTH_REQ_MACHDEP_X86_IOPERM:
if (securelevel < 2)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}

397
sys/secmodel/bsd44/secmodel_bsd44_suser.c Normal file
View File

@ -0,0 +1,397 @@
/* $NetBSD: secmodel_bsd44_suser.c,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
* 5. Use of the code by Wasabi Systems Inc. is hereby prohibited without
* written approval from the author.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/*
* This file contains kauth(9) listeners needed to implement the traditional
* NetBSD superuser access restrictions.
*
* There are two main resources a request can be issued to: user-owned and
* system owned. For the first, traditional Unix access checks are done, as
* well as superuser checks. If needed, the request context is examined before
* a decision is made. For the latter, usually only superuser checks are done
* as normal users are not allowed to access system resources.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/acct.h>
#include <sys/ktrace.h>
#include <sys/mount.h>
#include <sys/socket.h>
#include <sys/sysctl.h>
#include <net/route.h>
#include <secmodel/bsd44/suser.h>
void
secmodel_bsd44_suser_start(void)
{
kauth_listen_scope(KAUTH_SCOPE_GENERIC,
secmodel_bsd44_suser_generic_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
secmodel_bsd44_suser_system_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_PROCESS,
secmodel_bsd44_suser_process_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_NETWORK,
secmodel_bsd44_suser_network_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
secmodel_bsd44_suser_machdep_cb, NULL);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Generic
* Responsibility: Superuser access
*/
int
secmodel_bsd44_suser_generic_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
boolean_t isroot;
int result;
isroot = (kauth_cred_geteuid(cred) == 0);
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_GENERIC_ISSUSER:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_GENERIC_CANSEE:
if (!secmodel_bsd44_curtain)
result = KAUTH_RESULT_ALLOW;
else if (isroot || kauth_cred_uidmatch(cred, arg0))
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: System
* Responsibility: Superuser access
*/
int
secmodel_bsd44_suser_system_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
boolean_t isroot;
int result;
isroot = (kauth_cred_geteuid(cred) == 0);
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_SYSTEM_TIME:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_SYSTEM_SYSCTL:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_SYSTEM_SWAPCTL:
case KAUTH_SYSTEM_ACCOUNTING:
case KAUTH_SYSTEM_REBOOT:
case KAUTH_SYSTEM_CHROOT:
case KAUTH_SYSTEM_FILEHANDLE:
case KAUTH_SYSTEM_MKNOD:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Process
* Responsibility: Superuser access
*/
int
secmodel_bsd44_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
struct proc *p;
boolean_t isroot;
int result;
isroot = (kauth_cred_geteuid(cred) == 0);
result = KAUTH_RESULT_DENY;
p = arg0;
switch (action) {
case KAUTH_PROCESS_CANSIGNAL: {
int signum;
signum = (int)(unsigned long)arg1;
if (isroot || kauth_cred_uidmatch(cred, p->p_cred) ||
(signum == SIGCONT && (curproc->p_session == p->p_session)))
result = KAUTH_RESULT_ALLOW;
break;
}
case KAUTH_PROCESS_CANSEE:
if (!secmodel_bsd44_curtain)
result = KAUTH_RESULT_ALLOW;
else if (isroot || kauth_cred_uidmatch(cred, p->p_cred))
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_PROCESS_RESOURCE:
switch ((u_long)arg1) {
case KAUTH_REQ_PROCESS_RESOURCE_NICE:
if (isroot)
result = KAUTH_RESULT_ALLOW;
else if ((u_long)arg2 >= p->p_nice)
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_REQ_PROCESS_RESOURCE_RLIMIT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
else {
struct rlimit *new_rlimit;
u_long which;
new_rlimit = arg2;
which = (u_long)arg3;
if (new_rlimit->rlim_max <=
p->p_rlimit[which].rlim_max)
result = KAUTH_RESULT_ALLOW;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_PROCESS_SETID:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Network
* Responsibility: Superuser access
*/
int
secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
boolean_t isroot;
int result;
isroot = (kauth_cred_geteuid(cred) == 0);
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_NETWORK_FIREWALL:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_FIREWALL_FW:
case KAUTH_REQ_NETWORK_FIREWALL_NAT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_NETWORK_ALTQ:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_ALTQ_AFMAP:
case KAUTH_REQ_NETWORK_ALTQ_BLUE:
case KAUTH_REQ_NETWORK_ALTQ_CBQ:
case KAUTH_REQ_NETWORK_ALTQ_CDNR:
case KAUTH_REQ_NETWORK_ALTQ_CONF:
case KAUTH_REQ_NETWORK_ALTQ_FIFOQ:
case KAUTH_REQ_NETWORK_ALTQ_HFSC:
case KAUTH_REQ_NETWORK_ALTQ_PRIQ:
case KAUTH_REQ_NETWORK_ALTQ_RED:
case KAUTH_REQ_NETWORK_ALTQ_RIO:
case KAUTH_REQ_NETWORK_ALTQ_WFQ:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_NETWORK_SOCKET:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_ALLOW;
break;
}
break;
case KAUTH_NETWORK_BIND:
switch ((u_long)arg0) {
case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_ALLOW;
break;
}
break;
case KAUTH_NETWORK_ROUTE:
switch (((struct rt_msghdr *)arg0)->rtm_type) {
case RTM_GET:
result = KAUTH_RESULT_ALLOW;
break;
default:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}
/*
* kauth(9) listener
*
* Security model: Traditional NetBSD
* Scope: Machdep
* Responsibility: Superuser access
*/
int
secmodel_bsd44_suser_machdep_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
boolean_t isroot;
int result;
isroot = (kauth_cred_geteuid(cred) == 0);
result = KAUTH_RESULT_DENY;
switch (action) {
case KAUTH_MACHDEP_X86:
switch ((u_long)arg0) {
case KAUTH_REQ_MACHDEP_X86_IOPL:
case KAUTH_REQ_MACHDEP_X86_IOPERM:
case KAUTH_REQ_MACHDEP_X86_MTRR_SET:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
case KAUTH_MACHDEP_X86_64:
switch ((u_long)arg0) {
case KAUTH_REQ_MACHDEP_X86_64_MTRR_GET:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
return (result);
}

49
sys/secmodel/bsd44/securelevel.h Normal file
View File

@ -0,0 +1,49 @@
/* $NetBSD: securelevel.h,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SECMODEL_BSD44_SECURELEVEL_H_
#define _SECMODEL_BSD44_SECURELEVEL_H_
int secmodel_bsd44_sysctl_securelevel(SYSCTLFN_PROTO);
void secmodel_bsd44_securelevel_init(void);
void secmodel_bsd44_securelevel_start(void);
int secmodel_bsd44_securelevel_system_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_securelevel_process_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_securelevel_network_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_securelevel_machdep_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
#endif /* !_SECMODEL_BSD44_SECURELEVEL_H_ */

50
sys/secmodel/bsd44/suser.h Normal file
View File

@ -0,0 +1,50 @@
/* $NetBSD: suser.h,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SECMODEL_BSD44_SUSER_H_
#define _SECMODEL_BSD44_SUSER_H_
extern int secmodel_bsd44_curtain;
void secmodel_bsd44_suser_start(void);
int secmodel_bsd44_suser_generic_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_suser_system_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_suser_process_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_suser_network_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_bsd44_suser_machdep_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
#endif /* !_SECMODEL_BSD44_SUSER_H_ */

11
sys/secmodel/files.secmodel Normal file
View File

@ -0,0 +1,11 @@
# $NetBSD: files.secmodel,v 1.1 2006/09/08 20:58:56 elad Exp $
#
# Traditional NetBSD (derived from 4.4BSD)
#
include "secmodel/bsd44/files.bsd44"
#
# Sample overlay model on-top of the traditional one
#
include "secmodel/overlay/files.overlay"

5
sys/secmodel/overlay/files.overlay Normal file
View File

@ -0,0 +1,5 @@
# $NetBSD: files.overlay,v 1.1 2006/09/08 20:58:57 elad Exp $
defflag secmodel_overlay : secmodel_bsd44_logic
file secmodel/overlay/secmodel_overlay.c secmodel_overlay

49
sys/secmodel/overlay/overlay.h Normal file
View File

@ -0,0 +1,49 @@
/* $NetBSD: overlay.h,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SECMODEL_OVERLAY_OVERLAY_H_
#define _SECMODEL_OVERLAY_OVERLAY_H_
void secmodel_overlay_init(void);
void secmodel_overlay_start(void);
int secmodel_overlay_generic_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_overlay_system_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_overlay_process_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_overlay_network_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
int secmodel_overlay_machdep_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
#endif /* !_SECMODEL_OVERLAY_OVERLAY_H_ */

306
sys/secmodel/overlay/secmodel_overlay.c Normal file
View File

@ -0,0 +1,306 @@
/* $NetBSD: secmodel_overlay.c,v 1.1 2006/09/08 20:58:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kauth.h>
#include <sys/sysctl.h>
#include <secmodel/secmodel.h>
#include <secmodel/overlay/overlay.h>
#include <secmodel/bsd44/bsd44.h>
#include <secmodel/bsd44/suser.h>
#include <secmodel/bsd44/securelevel.h>
/*
* Fall-back settings.
*/
#define OVERLAY_ISCOPE_GENERIC "org.netbsd.kauth.overlay.generic"
#define OVERLAY_ISCOPE_SYSTEM "org.netbsd.kauth.overlay.system"
#define OVERLAY_ISCOPE_PROCESS "org.netbsd.kauth.overlay.process"
#define OVERLAY_ISCOPE_NETWORK "org.netbsd.kauth.overlay.network"
#define OVERLAY_ISCOPE_MACHDEP "org.netbsd.kauth.overlay.machdep"
static kauth_scope_t secmodel_overlay_iscope_generic;
static kauth_scope_t secmodel_overlay_iscope_system;
static kauth_scope_t secmodel_overlay_iscope_process;
static kauth_scope_t secmodel_overlay_iscope_network;
static kauth_scope_t secmodel_overlay_iscope_machdep;
extern int secmodel_bsd44_curtain;
/*
* Initialize the overlay security model.
*/
void
secmodel_overlay_init(void)
{
/*
* Register internal fall-back scopes.
*/
secmodel_overlay_iscope_generic = kauth_register_scope(
OVERLAY_ISCOPE_GENERIC, NULL, NULL);
secmodel_overlay_iscope_system = kauth_register_scope(
OVERLAY_ISCOPE_SYSTEM, NULL, NULL);
secmodel_overlay_iscope_process = kauth_register_scope(
OVERLAY_ISCOPE_PROCESS, NULL, NULL);
secmodel_overlay_iscope_network = kauth_register_scope(
OVERLAY_ISCOPE_NETWORK, NULL, NULL);
secmodel_overlay_iscope_machdep = kauth_register_scope(
OVERLAY_ISCOPE_MACHDEP, NULL, NULL);
/*
* Register fall-back listeners, from bsd44, to each internal
* fall-back scope.
*/
kauth_listen_scope(OVERLAY_ISCOPE_GENERIC,
secmodel_bsd44_suser_generic_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM,
secmodel_bsd44_suser_system_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM,
secmodel_bsd44_securelevel_system_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_PROCESS,
secmodel_bsd44_suser_process_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_PROCESS,
secmodel_bsd44_securelevel_process_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_NETWORK,
secmodel_bsd44_suser_network_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_NETWORK,
secmodel_bsd44_securelevel_network_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP,
secmodel_bsd44_suser_machdep_cb, NULL);
kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP,
secmodel_bsd44_securelevel_machdep_cb, NULL);
secmodel_bsd44_init();
}
SYSCTL_SETUP(sysctl_security_overlay_setup,
"sysctl security overlay setup")
{
const struct sysctlnode *rnode;
sysctl_createv(clog, 0, NULL, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "security", NULL,
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "models", NULL,
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, &rnode,
CTLFLAG_PERMANENT,
CTLTYPE_NODE, "overlay",
SYSCTL_DESCR("Overlay security model on-top of bsd44, "),
NULL, 0, NULL, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_STRING, "name", NULL,
NULL, 0, __UNCONST("Overlay (on-top of bsd44)"), 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "securelevel",
SYSCTL_DESCR("System security level"),
secmodel_bsd44_sysctl_securelevel, 0, &securelevel, 0,
CTL_CREATE, CTL_EOL);
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
CTLTYPE_INT, "curtain",
SYSCTL_DESCR("Curtain information about objects to "
"users not owning them."),
NULL, 0, &secmodel_bsd44_curtain, 0,
CTL_CREATE, CTL_EOL);
}
/*
* Start the overlay security model.
*/
void
secmodel_start(void)
{
secmodel_overlay_init();
kauth_listen_scope(KAUTH_SCOPE_GENERIC,
secmodel_overlay_generic_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
secmodel_overlay_system_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_PROCESS,
secmodel_overlay_process_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_NETWORK,
secmodel_overlay_network_cb, NULL);
kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
secmodel_overlay_machdep_cb, NULL);
}
/*
* Overlay listener for the generic scope.
*/
int
secmodel_overlay_generic_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DEFER;
switch (action) {
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (result == KAUTH_RESULT_DEFER) {
result = kauth_authorize_action(
secmodel_overlay_iscope_generic, cred, action,
arg0, arg1, arg2, arg3);
}
return (result);
}
/*
* Overlay listener for the system scope.
*/
int
secmodel_overlay_system_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DEFER;
switch (action) {
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (result == KAUTH_RESULT_DEFER) {
result = kauth_authorize_action(
secmodel_overlay_iscope_system, cred, action,
arg0, arg1, arg2, arg3);
}
return (result);
}
/*
* Overlay listener for the process scope.
*/
int
secmodel_overlay_process_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DEFER;
switch (action) {
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (result == KAUTH_RESULT_DEFER) {
result = kauth_authorize_action(
secmodel_overlay_iscope_process, cred, action,
arg0, arg1, arg2, arg3);
}
return (result);
}
/*
* Overlay listener for the network scope.
*/
int
secmodel_overlay_network_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DEFER;
switch (action) {
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (result == KAUTH_RESULT_DEFER) {
result = kauth_authorize_action(
secmodel_overlay_iscope_network, cred, action,
arg0, arg1, arg2, arg3);
}
return (result);
}
/*
* Overlay listener for the machdep scope.
*/
int
secmodel_overlay_machdep_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
int result;
result = KAUTH_RESULT_DEFER;
switch (action) {
default:
result = KAUTH_RESULT_DEFER;
break;
}
if (result == KAUTH_RESULT_DEFER) {
result = kauth_authorize_action(
secmodel_overlay_iscope_machdep, cred, action,
arg0, arg1, arg2, arg3);
}
return (result);
}

37
sys/secmodel/secmodel.h Normal file
View File

@ -0,0 +1,37 @@
/* $NetBSD: secmodel.h,v 1.1 2006/09/08 20:58:56 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Elad Efrat.
* 4. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _SECMODEL_SECMODEL_H_
#define _SECMODEL_SECMODEL_H_
void secmodel_start(void);
#endif /* !_SECMODEL_SECMODEL_H_ */

138
sys/sys/kauth.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: kauth.h,v 1.5 2006/07/17 14:37:20 ad Exp $ */
/* $NetBSD: kauth.h,v 1.6 2006/09/08 20:58:58 elad Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -61,20 +61,131 @@ typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
* Scopes.
*/
#define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic"
#define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system"
#define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process"
/*
* Process scope - actions.
*/
#define KAUTH_PROCESS_CANPTRACE 1 /* check if can attach ptrace */
#define KAUTH_PROCESS_CANSIGNAL 2 /* check if can post signal */
#define KAUTH_PROCESS_CANSEE 3 /* check if can see proc info */
#define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network"
#define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
/*
* Generic scope - actions.
*/
#define KAUTH_GENERIC_ISSUSER 1 /* check for super-user */
#define KAUTH_GENERIC_CANSEE 2 /* check if can see other cred */
enum {
KAUTH_GENERIC_CANSEE=1,
KAUTH_GENERIC_ISSUSER
};
/*
* System scope - actions.
*/
enum {
KAUTH_SYSTEM_ACCOUNTING=1,
KAUTH_SYSTEM_CHROOT,
KAUTH_SYSTEM_DEBUG,
KAUTH_SYSTEM_FILEHANDLE,
KAUTH_SYSTEM_LKM,
KAUTH_SYSTEM_MKNOD,
KAUTH_SYSTEM_RAWIO,
KAUTH_SYSTEM_REBOOT,
KAUTH_SYSTEM_SETIDCORE,
KAUTH_SYSTEM_SWAPCTL,
KAUTH_SYSTEM_SYSCTL,
KAUTH_SYSTEM_TIME
};
/*
* System scope - sub-actions.
*/
enum kauth_system_req {
KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
KAUTH_REQ_SYSTEM_DEBUG_IPKDB,
KAUTH_REQ_SYSTEM_RAWIO_DISK,
KAUTH_REQ_SYSTEM_RAWIO_MEMORY,
KAUTH_REQ_SYSTEM_RAWIO_READ,
KAUTH_REQ_SYSTEM_RAWIO_RW,
KAUTH_REQ_SYSTEM_RAWIO_WRITE,
KAUTH_REQ_SYSTEM_SYSCTL_ADD,
KAUTH_REQ_SYSTEM_SYSCTL_DELETE,
KAUTH_REQ_SYSTEM_SYSCTL_DESC,
KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
KAUTH_REQ_SYSTEM_TIME_ADJTIME,
KAUTH_REQ_SYSTEM_TIME_BACKWARDS,
KAUTH_REQ_SYSTEM_TIME_NTPADJTIME,
KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
KAUTH_REQ_SYSTEM_TIME_SYSTEM
};
/*
* Process scope - actions.
*/
enum {
KAUTH_PROCESS_CANSEE=1,
KAUTH_PROCESS_CANSIGNAL,
KAUTH_PROCESS_CORENAME,
KAUTH_PROCESS_RESOURCE,
KAUTH_PROCESS_SETID
};
/*
* Process scope - sub-actions.
*/
enum {
KAUTH_REQ_PROCESS_RESOURCE_NICE=1,
KAUTH_REQ_PROCESS_RESOURCE_RLIMIT
};
/*
* Network scope - actions.
*/
enum {
KAUTH_NETWORK_ALTQ=1,
KAUTH_NETWORK_BIND,
KAUTH_NETWORK_FIREWALL,
KAUTH_NETWORK_FORWSRCRT,
KAUTH_NETWORK_ROUTE,
KAUTH_NETWORK_SOCKET
};
/*
* Network scope - sub-actions.
*/
enum kauth_network_req {
KAUTH_REQ_NETWORK_ALTQ_AFMAP=1,
KAUTH_REQ_NETWORK_ALTQ_BLUE,
KAUTH_REQ_NETWORK_ALTQ_CBQ,
KAUTH_REQ_NETWORK_ALTQ_CDNR,
KAUTH_REQ_NETWORK_ALTQ_CONF,
KAUTH_REQ_NETWORK_ALTQ_FIFOQ,
KAUTH_REQ_NETWORK_ALTQ_HFSC,
KAUTH_REQ_NETWORK_ALTQ_PRIQ,
KAUTH_REQ_NETWORK_ALTQ_RED,
KAUTH_REQ_NETWORK_ALTQ_RIO,
KAUTH_REQ_NETWORK_ALTQ_WFQ,
KAUTH_REQ_NETWORK_BIND_PORT,
KAUTH_REQ_NETWORK_BIND_PRIVPORT,
KAUTH_REQ_NETWORK_FIREWALL_FW,
KAUTH_REQ_NETWORK_FIREWALL_NAT,
KAUTH_REQ_NETWORK_SOCKET_ATTACH,
KAUTH_REQ_NETWORK_SOCKET_RAWSOCK
};
/*
* Machdep scope - actions.
*/
enum {
KAUTH_MACHDEP_X86=1,
KAUTH_MACHDEP_X86_64
};
/*
* Machdep scope - sub-actions.
*/
enum kauth_machdep_req {
KAUTH_REQ_MACHDEP_X86_64_MTRR_GET=1, /* ridiculous. */
KAUTH_REQ_MACHDEP_X86_IOPERM,
KAUTH_REQ_MACHDEP_X86_IOPL,
KAUTH_REQ_MACHDEP_X86_MTRR_SET
};
#define NOCRED ((kauth_cred_t)-1) /* no credential available */
#define FSCRED ((kauth_cred_t)-2) /* filesystem credential */
@ -98,8 +209,14 @@ int kauth_authorize_cb_process(kauth_cred_t, kauth_action_t, void *,
/* Authorization wrappers. */
int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *);
int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req,
void *, void *, void *);
int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *,
void *, void *, void *);
int kauth_authorize_network(kauth_cred_t, kauth_action_t,
void *, void *, void *, void *);
int kauth_authorize_machdep(kauth_cred_t, kauth_action_t,
void *, void *, void *, void *);
/* Kauth credentials management routines. */
kauth_cred_t kauth_cred_alloc(void);
@ -131,6 +248,7 @@ u_int kauth_cred_getrefcnt(kauth_cred_t);
int kauth_cred_setgroups(kauth_cred_t, gid_t *, size_t, uid_t);
int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t);
int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t);
void kauth_cred_uucvt(kauth_cred_t, const struct uucred *);
int kauth_cred_uucmp(kauth_cred_t, const struct uucred *);
void kauth_cred_toucred(kauth_cred_t, struct ucred *);

5
sys/sys/sysctl.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: sysctl.h,v 1.156 2006/08/17 17:11:29 christos Exp $ */
/* $NetBSD: sysctl.h,v 1.157 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (c) 1989, 1993
@ -919,9 +919,6 @@ struct kinfo_file {
/* Root node of the kernel sysctl tree */
extern struct sysctlnode sysctl_root;
/* XXX this should not be here */
extern int security_curtain;
/*
* A log of nodes created by a setup function or set of setup
* functions so that they can be torn down in one "transaction"

8
sys/uvm/uvm_swap.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: uvm_swap.c,v 1.105 2006/09/03 21:37:06 christos Exp $ */
/* $NetBSD: uvm_swap.c,v 1.106 2006/09/08 20:58:58 elad Exp $ */
/*
* Copyright (c) 1995, 1996, 1997 Matthew R. Green
@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.105 2006/09/03 21:37:06 christos Exp $");
__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.106 2006/09/08 20:58:58 elad Exp $");
#include "fs_nfs.h"
#include "opt_uvmhist.h"
@ -508,8 +508,8 @@ sys_swapctl(struct lwp *l, void *v, register_t *retval)
/*
* all other requests require superuser privs. verify.
*/
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
&l->l_acflag)))
if ((error = kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_SWAPCTL,
0, NULL, NULL, NULL)))
goto out;
if (SCARG(uap, cmd) == SWAP_DUMPOFF) {