Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Introduce actions/requests to handle authorization for ppp(4), sl(4),

Browse Source 
strip(4), btuart(4) and bcsp(4) network interfaces and devices.

Mailing list reference:

	http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004955.html
This commit is contained in:
elad 2009-05-07 18:01:56 +00:00
parent 0b635e75c0
commit b853042065
8 changed files with 169 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
share/man/man9/kauth.9
View File

@ -1,4 +1,4 @@
.\" $NetBSD: kauth.9,v 1.81 2009/05/07 11:54:41 wiz Exp $
.\" $NetBSD: kauth.9,v 1.82 2009/05/07 18:01:56 elad Exp $
.\"
.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
.\" All rights reserved.
@ -25,7 +25,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd May 5, 2009
.Dd May 7, 2009
.Dt KAUTH 9
.Os
.Sh NAME
@ -601,6 +601,45 @@ for the interface was passed in
there's no way to tell what structure
.Ar arg3
is.
.It Dv KAUTH_NETWORK_INTERFACE_PPP
Checks operations performed on the
.Xr ppp 4
network interface are allowed.
.Pp
.Ar req
can be one of the following:
.Bl -tag -width compact
.It Dv KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD
Checks if adding and enabling a
.Xr ppp 4
interface to the system is allowed.
.El
.It Dv KAUTH_NETWORK_INTERFACE_SLIP
Checks operations performed on the
.Xr sl 4
network interface are allowed.
.Pp
.Ar req
can be one of the following:
.Bl -tag -width compact
.It Dv KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD
Checks if adding and enabling a
.Xr sl 4
interface to the system is allowed.
.El
.It Dv KAUTH_NETWORK_INTERFACE_STRIP
Checks operations performed on the
.Xr strip 4
network interface are allowed.
.Pp
.Ar req
can be one of the following:
.Bl -tag -width compact
.It Dv KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD
Check if adding and enabling a
.Xr strip 4
interface to the system is allowed.
.El
.It Dv KAUTH_NETWORK_FORWSRCRT
Checks whether status of forwarding of source-routed packets can be modified
or not.
@ -865,6 +904,36 @@ Authorizing actions relevant to bluetooth devices is done using the standard
authorization wrapper, with the following actions:
.Pp
.Bl -tag -width compact
.It KAUTH_DEVICE_BLUETOOTH_BCSP
Check if operations on a
.Xr bcsp 4
device are allowed.
.Pp
.Ar arg0
is an
.Ft enum kauth_device_req
with one of the following values:
.Bl -tag -width compact
.It Dv KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD
Check if adding and enabling a
.Xr bcsp 4
device is allowed.
.El
.It KAUTH_DEVICE_BLUETOOTH_BTUART
Check if operations on a
.Xr btuart 4
device are allowed.
.Pp
.Ar arg0
is an
.Ft enum kauth_device_req
with one of the following values:
.Bl -tag -width compact
.It Dv KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD
Check if adding and enabling a
.Xr btuart 4
device is allowed.
.El
.It KAUTH_DEVICE_BLUETOOTH_SETPRIV
Check if privileged settings can be changed.
.Pp

11
sys/dev/bluetooth/bcsp.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: bcsp.c,v 1.16 2009/04/26 07:53:43 elad Exp $ */
/* $NetBSD: bcsp.c,v 1.17 2009/05/07 18:01:57 elad Exp $ */
/*
* Copyright (c) 2007 KIYOHARA Takashi
* All rights reserved.
@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: bcsp.c,v 1.16 2009/04/26 07:53:43 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: bcsp.c,v 1.17 2009/05/07 18:01:57 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -378,9 +378,10 @@ bcspopen(dev_t device __unused, struct tty *tp)
int error, unit, s;
static char name[] = "bcsp";
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, NULL)) != 0)
return error;
error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_BCSP,
KAUTH_ARG(KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD), NULL, NULL, NULL);
if (error)
return (error);
s = spltty();

11
sys/dev/bluetooth/btuart.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: btuart.c,v 1.21 2009/04/26 07:53:43 elad Exp $ */
/* $NetBSD: btuart.c,v 1.22 2009/05/07 18:01:57 elad Exp $ */
/*-
* Copyright (c) 2006, 2007 KIYOHARA Takashi
@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: btuart.c,v 1.21 2009/04/26 07:53:43 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: btuart.c,v 1.22 2009/05/07 18:01:57 elad Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@ -226,9 +226,10 @@ btuartopen(dev_t devno __unused, struct tty *tp)
struct lwp *l = curlwp; /* XXX */
int error, unit, s;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, NULL)) != 0)
return error;
error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_BTUART,
KAUTH_ARG(KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD), NULL, NULL, NULL);
if (error)
return (error);
s = spltty();

9
sys/net/if_sl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: if_sl.c,v 1.114 2008/12/17 20:51:36 cegger Exp $ */
/* $NetBSD: if_sl.c,v 1.115 2009/05/07 18:01:57 elad Exp $ */
/*
* Copyright (c) 1987, 1989, 1992, 1993
@ -60,7 +60,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: if_sl.c,v 1.114 2008/12/17 20:51:36 cegger Exp $");
__KERNEL_RCSID(0, "$NetBSD: if_sl.c,v 1.115 2009/05/07 18:01:57 elad Exp $");
#include "opt_inet.h"
#include "bpfilter.h"
@ -303,8 +303,9 @@ slopen(dev_t dev, struct tty *tp)
struct sl_softc *sc;
int error;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
NULL)) != 0)
error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_SLIP,
KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD, NULL, NULL, NULL);
if (error)
return error;
if (tp->t_linesw == &slip_disc)

10
sys/net/if_strip.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: if_strip.c,v 1.92 2009/04/18 14:58:05 tsutsui Exp $ */
/* $NetBSD: if_strip.c,v 1.93 2009/05/07 18:01:57 elad Exp $ */
/* from: NetBSD: if_sl.c,v 1.38 1996/02/13 22:00:23 christos Exp $ */
/*
@ -87,7 +87,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: if_strip.c,v 1.92 2009/04/18 14:58:05 tsutsui Exp $");
__KERNEL_RCSID(0, "$NetBSD: if_strip.c,v 1.93 2009/05/07 18:01:57 elad Exp $");
#include "opt_inet.h"
#include "bpfilter.h"
@ -475,8 +475,10 @@ stripopen(dev_t dev, struct tty *tp)
struct strip_softc *sc;
int error;
if ((error = kauth_authorize_generic(l->l_cred,
KAUTH_GENERIC_ISSUSER, NULL)) != 0)
error = kauth_authorize_network(l->l_cred,
KAUTH_NETWORK_INTERFACE_STRIP,
KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD, NULL, NULL, NULL);
if (error)
return (error);
if (tp->t_linesw == &strip_disc)

9
sys/net/ppp_tty.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ppp_tty.c,v 1.54 2009/04/15 20:44:25 elad Exp $ */
/* $NetBSD: ppp_tty.c,v 1.55 2009/05/07 18:01:57 elad Exp $ */
/* Id: ppp_tty.c,v 1.3 1996/07/01 01:04:11 paulus Exp */
/*
@ -93,7 +93,7 @@
/* from NetBSD: if_ppp.c,v 1.15.2.2 1994/07/28 05:17:58 cgd Exp */
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ppp_tty.c,v 1.54 2009/04/15 20:44:25 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: ppp_tty.c,v 1.55 2009/05/07 18:01:57 elad Exp $");
#include "ppp.h"
@ -208,8 +208,9 @@ pppopen(dev_t dev, struct tty *tp)
struct ppp_softc *sc;
int error, s;
if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
NULL)) != 0)
error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_PPP,
KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD, NULL, NULL, NULL);
if (error)
return (error);
s = spltty();

59
sys/secmodel/bsd44/secmodel_bsd44_suser.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $ */
/* $NetBSD: secmodel_bsd44_suser.c,v 1.65 2009/05/07 18:01:56 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.65 2009/05/07 18:01:56 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -849,6 +849,42 @@ secmodel_bsd44_suser_network_cb(kauth_cred_t cred, kauth_action_t action,
}
break;
case KAUTH_NETWORK_INTERFACE_PPP:
switch (req) {
case KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
break;
}
break;
case KAUTH_NETWORK_INTERFACE_SLIP:
switch (req) {
case KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
break;
}
break;
case KAUTH_NETWORK_INTERFACE_STRIP:
switch (req) {
case KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
break;
}
break;
case KAUTH_NETWORK_NFS:
switch (req) {
case KAUTH_REQ_NETWORK_NFS_EXPORT:
@ -1015,6 +1051,25 @@ secmodel_bsd44_suser_device_cb(kauth_cred_t cred, kauth_action_t action,
result = KAUTH_RESULT_ALLOW;
break;
case KAUTH_DEVICE_BLUETOOTH_BCSP:
case KAUTH_DEVICE_BLUETOOTH_BTUART: {
enum kauth_device_req req;
req = (enum kauth_device_req)arg0;
switch (req) {
case KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD:
case KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
default:
break;
}
break;
}
case KAUTH_DEVICE_RAWIO_SPEC:
case KAUTH_DEVICE_RAWIO_PASSTHRU:
/*

16
sys/sys/kauth.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: kauth.h,v 1.56 2009/05/05 21:03:28 elad Exp $ */
/* $NetBSD: kauth.h,v 1.57 2009/05/07 18:01:56 elad Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -177,7 +177,10 @@ enum {
KAUTH_NETWORK_FORWSRCRT,
KAUTH_NETWORK_NFS,
KAUTH_NETWORK_ROUTE,
KAUTH_NETWORK_SOCKET
KAUTH_NETWORK_SOCKET,
KAUTH_NETWORK_INTERFACE_PPP,
KAUTH_NETWORK_INTERFACE_SLIP,
KAUTH_NETWORK_INTERFACE_STRIP,
};
/*
@ -210,7 +213,10 @@ enum kauth_network_req {
KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
KAUTH_REQ_NETWORK_SOCKET_CANSEE,
KAUTH_REQ_NETWORK_SOCKET_DROP,
KAUTH_REQ_NETWORK_SOCKET_SETPRIV
KAUTH_REQ_NETWORK_SOCKET_SETPRIV,
KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD,
KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD,
KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD,
};
/*
@ -242,6 +248,8 @@ enum {
KAUTH_DEVICE_RND_ADDDATA,
KAUTH_DEVICE_RND_GETPRIV,
KAUTH_DEVICE_RND_SETPRIV,
KAUTH_DEVICE_BLUETOOTH_BCSP,
KAUTH_DEVICE_BLUETOOTH_BTUART,
};
/*
@ -251,6 +259,8 @@ enum kauth_device_req {
KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD,
KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD,
};
/*