Add device scope actions for rnd(4) and use them.
Mailing list reference: http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004953.html
This commit is contained in:
parent
f48b5c49cc
commit
b50c4b9e09
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: kauth.9,v 1.78 2009/05/03 19:25:39 wiz Exp $
|
||||
.\" $NetBSD: kauth.9,v 1.79 2009/05/05 21:03:28 elad Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
.\" All rights reserved.
|
||||
@ -25,7 +25,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd May 3, 2009
|
||||
.Dd May 5, 2009
|
||||
.Dt KAUTH 9
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -883,6 +883,20 @@ is a
|
||||
.Ft u_long
|
||||
describing the command.
|
||||
.El
|
||||
.Pp
|
||||
.Sy Kernel random device
|
||||
Authorization actions relevant to the kernel random device,
|
||||
.Xr rnd 4 ,
|
||||
is done using the standard authorization wrapper, with the following actions:
|
||||
.Pp
|
||||
.Bl -tag -width compact
|
||||
.It KAUTH_DEVICE_RND_ADDDATA
|
||||
Check if adding data to the entropy pool is allowed.
|
||||
.It KAUTH_DEVICE_RND_GETPRIV
|
||||
Check if privileged settings and information can be retrieved.
|
||||
.It KAUTH_DEVICE_RND_SETPRIV
|
||||
Check if privileged settings can be changed.
|
||||
.El
|
||||
.Ss Credentials Scope
|
||||
The credentials scope,
|
||||
.Dq org.netbsd.kauth.cred ,
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: rnd.c,v 1.71 2008/08/16 13:07:30 dan Exp $ */
|
||||
/* $NetBSD: rnd.c,v 1.72 2009/05/05 21:03:29 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 1997 The NetBSD Foundation, Inc.
|
||||
@ -31,7 +31,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: rnd.c,v 1.71 2008/08/16 13:07:30 dan Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: rnd.c,v 1.72 2009/05/05 21:03:29 elad Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/ioctl.h>
|
||||
@ -496,16 +496,30 @@ rndioctl(dev_t dev, u_long cmd, void *addr, int flag,
|
||||
case FIOASYNC:
|
||||
case RNDGETENTCNT:
|
||||
break;
|
||||
|
||||
case RNDGETPOOLSTAT:
|
||||
case RNDGETSRCNUM:
|
||||
case RNDGETSRCNAME:
|
||||
case RNDCTL:
|
||||
case RNDADDDATA:
|
||||
ret = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
|
||||
NULL);
|
||||
ret = kauth_authorize_device(l->l_cred,
|
||||
KAUTH_DEVICE_RND_GETPRIV, NULL, NULL, NULL, NULL);
|
||||
if (ret)
|
||||
return (ret);
|
||||
break;
|
||||
|
||||
case RNDCTL:
|
||||
ret = kauth_authorize_device(l->l_cred,
|
||||
KAUTH_DEVICE_RND_SETPRIV, NULL, NULL, NULL, NULL);
|
||||
if (ret)
|
||||
return (ret);
|
||||
break;
|
||||
|
||||
case RNDADDDATA:
|
||||
ret = kauth_authorize_device(l->l_cred,
|
||||
KAUTH_DEVICE_RND_ADDDATA, NULL, NULL, NULL, NULL);
|
||||
if (ret)
|
||||
return (ret);
|
||||
break;
|
||||
|
||||
default:
|
||||
return (EINVAL);
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: secmodel_bsd44_suser.c,v 1.63 2009/05/03 17:21:13 elad Exp $ */
|
||||
/* $NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $ */
|
||||
/*-
|
||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||
* All rights reserved.
|
||||
@ -38,7 +38,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.63 2009/05/03 17:21:13 elad Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
@ -1051,6 +1051,13 @@ secmodel_bsd44_suser_device_cb(kauth_cred_t cred, kauth_action_t action,
|
||||
|
||||
break;
|
||||
|
||||
case KAUTH_DEVICE_RND_ADDDATA:
|
||||
case KAUTH_DEVICE_RND_GETPRIV:
|
||||
case KAUTH_DEVICE_RND_SETPRIV:
|
||||
if (isroot)
|
||||
result = KAUTH_RESULT_ALLOW;
|
||||
break;
|
||||
|
||||
default:
|
||||
result = KAUTH_RESULT_DEFER;
|
||||
break;
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: kauth.h,v 1.55 2009/05/03 17:21:12 elad Exp $ */
|
||||
/* $NetBSD: kauth.h,v 1.56 2009/05/05 21:03:28 elad Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
|
||||
@ -239,6 +239,9 @@ enum {
|
||||
KAUTH_DEVICE_RAWIO_SPEC,
|
||||
KAUTH_DEVICE_RAWIO_PASSTHRU,
|
||||
KAUTH_DEVICE_BLUETOOTH_SETPRIV,
|
||||
KAUTH_DEVICE_RND_ADDDATA,
|
||||
KAUTH_DEVICE_RND_GETPRIV,
|
||||
KAUTH_DEVICE_RND_SETPRIV,
|
||||
};
|
||||
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user