Introduce ``security.curtain'', new node for security features and

settings, and new variable for controlling access to objects based on user-id.
2005-09-07 16:26:15 +00:00 · 2005-09-07 16:26:15 +00:00 · ec14f2d11e
parent 15b43e830c
commit ec14f2d11e
2 changed files with 40 additions and 4 deletions
--- a/sys/kern/init_sysctl.c
+++ b/sys/kern/init_sysctl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: init_sysctl.c,v 1.53 2005/09/06 02:36:17 rpaulo Exp $ */
+/*	$NetBSD: init_sysctl.c,v 1.54 2005/09/07 16:26:15 elad Exp $ */

 /*-
 * Copyright (c) 2003 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.53 2005/09/06 02:36:17 rpaulo Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.54 2005/09/07 16:26:15 elad Exp $");

 #include "opt_sysv.h"
 #include "opt_multiprocessor.h"
@ -90,6 +90,9 @@ __KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.53 2005/09/06 02:36:17 rpaulo Exp

 #include <machine/cpu.h>

+/* XXX this should not be here */
+int security_curtain = 1;
+
 /*
 * try over estimating by 5 procs/lwps
 */
@ -247,6 +250,12 @@ SYSCTL_SETUP(sysctl_root_setup, "sysctl base setup")
 		       SYSCTL_DESCR("Emulation settings"),
 		       NULL, 0, NULL, 0,
 		       CTL_EMUL, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "security",
+		       SYSCTL_DESCR("Security"),
+		       NULL, 0, NULL, 0,
+		       CTL_SECURITY, CTL_EOL);
 }

 /*
@ -1010,6 +1019,17 @@ SYSCTL_SETUP(sysctl_debug_setup, "sysctl debug subtree setup")
 }
 #endif /* DEBUG */

+SYSCTL_SETUP(sysctl_security_setup, "sysctl security subtree setup")
+{
+	sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "curtain",
+		       SYSCTL_DESCR("Curtain information about objects"
+				    " to users not owning them."),
+		       NULL, 0, &security_curtain, 0,
+		       CTL_SECURITY, SECURITY_CURTAIN, CTL_EOL);
+}
+
 /*
 * ********************************************************************
 * section 2: private node-specific helper routines.
--- a/sys/sys/sysctl.h
+++ b/sys/sys/sysctl.h
@ -1,4 +1,4 @@
-/*	$NetBSD: sysctl.h,v 1.140 2005/09/06 02:36:17 rpaulo Exp $	*/
+/*	$NetBSD: sysctl.h,v 1.141 2005/09/07 16:26:16 elad Exp $	*/

 /*
 * Copyright (c) 1989, 1993
@ -161,7 +161,8 @@ struct ctlname {
 #define	CTL_PROC	10		/* per-proc attr */
 #define	CTL_VENDOR	11		/* vendor-specific data */
 #define	CTL_EMUL	12		/* emulation-specific data */
-#define	CTL_MAXID	13		/* number of valid top-level ids */
+#define	CTL_SECURITY	13		/* security */
+#define	CTL_MAXID	14		/* number of valid top-level ids */

 #define	CTL_NAMES { \
 	{ 0, 0 }, \
@ -177,6 +178,7 @@ struct ctlname {
 	{ "proc", CTLTYPE_NODE }, \
 	{ "vendor", CTLTYPE_NODE }, \
 	{ "emul", CTLTYPE_NODE }, \
+	{ "security", CTLTYPE_NODE }, \
 }

 /*
@ -896,6 +898,20 @@ struct kinfo_file {
 	{ "mach", CTLTYPE_NODE }, \
 }

+/*
+ * CTL_SECURITY definitions.
+ */
+#define	SECURITY_CURTAIN	1
+#define	SECURITY_MAXID		2
+
+#define	CTL_SECURITY_NAMES { \
+	{ 0, 0 }, \
+	{ "curtain", CTLTYPE_INT }, \
+}
+
+/* XXX this should not be here */
+extern int security_curtain;
+
 #ifdef _KERNEL

 #if defined(_KERNEL_OPT)