Commit Graph

55 Commits

Author SHA1 Message Date
ad
045db07a6d Fix minor error in previous. 2007-11-29 19:50:28 +00:00
ad
7ec1c5e617 Use atomics to adjust the credential reference count. 2007-11-29 17:48:27 +00:00
matt
11910619f7 Change some initialization of static queues to compile time.
(xxx_INIT to xxx_HEAD_INITIALIZER).  Drop code which inits
non-auto (global or static) variables to 0 since that's
already implied by being non-auto.  Init some static/global
cpu_simple_locks at compile time.
2007-11-11 23:22:23 +00:00
ad
d18c6ca4de Merge from vmlocking:
- pool_cache changes.
- Debugger/procfs locking fixes.
- Other minor changes.
2007-11-07 00:23:13 +00:00
yamt
97427fb0e4 use a correct type for UIO_*. 2007-09-23 16:00:08 +00:00
dsl
5cf79e2a72 Fix the other inverted test as well. 2007-07-06 17:33:31 +00:00
dsl
dd378adf69 Fix intverted test, should fix nfs and hp700 issues. 2007-07-06 17:27:49 +00:00
dsl
04c196a642 Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups
can copy directly to/from userspace.
Avoids exposing the implementation of the group list as an array to code
outside kern_auth.c.
compat code and man page need updating.
2007-06-30 13:32:14 +00:00
dsl
a254a27e55 Simplify the interfaces needed for sys_setgroups() and sys_getgroups().
Exposed that the kauth code holds groups in an array, but removes some
of the knowledge of the maximum number of groups.
Allows the syscall code to copyin/out directly to/from the cred structure,
this save a lot of faffing about with malloc/free even when compat code
has to use 16bit groups.
2007-06-23 09:02:12 +00:00
ad
59d979c5f1 Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.
2007-03-12 18:18:22 +00:00
christos
2a84b2c2c1 Revert the kauth_impl.h change. Elad is going to maintain this. Asked by core@ 2007-02-24 20:41:33 +00:00
dsl
6209b5bbf3 The pre-kauth 'struct ucread' and 'struct pcred' are now only used in the
(depracted some time ago) 'struct kinfo_proc' returned by sysctl.
Move the definitions to sys/syctl.h and rename in order to ensure all the
users are located.
2007-02-18 15:20:34 +00:00
ad
b07ec3fc38 Merge newlock2 to head. 2007-02-09 21:55:00 +00:00
elad
3d8c2eee5f Add comment referring to kvm_proc.c. 2007-02-07 08:04:48 +00:00
elad
85f515764b Fix notify only logic for credentials scope. Thanks ad@! 2007-01-31 16:30:09 +00:00
elad
c439bcfe43 Add a new scope, the credentials scope, which is internal to the kauth(9)
implementation and meant to be used by security models to hook credential
related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(),
kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively)
and document it.

Add specificdata to credentials, and routines to register/deregister new
"keys", as well as set/get routines. This allows security models to add
their own private data to a kauth_cred_t.

The above two, combined, allow security models to control inheritance of
their own private data in credentials which is a requirement for doing
stuff like, I dunno, capabilities?
2007-01-31 10:08:23 +00:00
elad
3238d589b2 No need to include acct.h, sysctl.h, and time.h. 2007-01-26 23:50:36 +00:00
elad
f3cc348dad Introduce secmodel_register() and secmodel_deregister() (for now left
undocumented) and change logic in kauth_authorize_action() to only
allow an action if it wasn't explicitly allowed/denied and there are no
secmodels loaded.

Okay yamt@.
2007-01-16 11:51:22 +00:00
elad
6df6f0ea65 Introduce kauth_proc_fork() to control credential inheritance. 2007-01-15 17:45:32 +00:00
elad
d2e4f7167b Remove advertising clause from all of my stuff. 2007-01-09 12:49:36 +00:00
elad
c6e8423fec Make kauth_deregister_scope() and kauth_unlisten_scope() free the
passed kauth_scope_t and kauth_listener_t objects, respectively.

Okay yamt@.
2007-01-01 23:33:03 +00:00
elad
504c71d9fe Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
2006-12-26 10:43:43 +00:00
ad
d635d897fb Allocate space for scopes and listeners with kmem. Ok elad@. 2006-12-23 08:38:00 +00:00
elad
432c309931 Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.

Discussed on tech-security@ and tech-kern@. Okay tls@.
2006-12-02 03:10:42 +00:00
elad
2db3a96be7 Provide a standard authorization wrapper for the device scope. 2006-11-19 00:11:29 +00:00
elad
fe9e2303fd Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o
requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU.

Expose iskmemdev() through sys/conf.h.

okay yamt@
2006-11-04 09:30:00 +00:00
yamt
1a7bc55dcc remove some __unused from function parameters. 2006-11-01 10:17:58 +00:00
pooka
96d8335980 kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred()
per tech-kern proposal
2006-10-22 13:07:15 +00:00
elad
54c1c4a4dc Remove todo that has been documented for a long time now. 2006-10-22 10:37:19 +00:00
christos
4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
elad
f0c7040a3f Move the kauth_init() call above auto-configuration; this will fix some
recent bugs introduced with the usage of kauth(9) in MD/device code.

While here, change the sanity checks to KASSERT(), because they're really
bugs we should fix if triggered.
2006-10-02 16:29:57 +00:00
elad
b8a339347f Implement the "device" scope.
It uses an authorization wrapper per device class on the system to
ensure type-safety.

For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.

Update documentation.
2006-09-30 20:05:57 +00:00
elad
6ecd7be983 Lose (void *) casts on the machdep scope authorization wrapper. Update
documentation.
2006-09-19 22:03:10 +00:00
elad
83a5239b28 Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.
2006-09-19 21:42:29 +00:00
elad
b60c6b99ca Introduce a new flag we mark as TRUE when we load listeners, and change
the logic in kauth_authorize_action() to use it.

When we try to authorize a request and the flag is FALSE, it means a
kernel was compiled with no listeners (or we're in very early boot stages),
and we always allow the request because it's likely to be coming from the
kernel itself or from loading an LKM with the security model (later on).

Assert that if the "listeners have been loaded" flag is FALSE, there are
really no listeners for the scope we're authorizing on.

When the flag is TRUE (ie., listeners have been loaded) but they were
later removed, creating a scope with no listeners, the request will be
denied further down.

This allows us to have the security model compiled outside the NetBSD
kernel and later loaded as an LKM, without fearing an attack will just
remove listeners we loaded earlier to create a "fail open" situation.

Input from yamt@, thorpej@, gdt@, dan@.
Okay yamt@, thorpej@.
2006-09-15 14:28:04 +00:00
yamt
97194de33c kauth_register_scope: don't leak a listener
when no default listener is specified.
2006-09-14 11:37:07 +00:00
elad
c2ea23c509 Add __KERNEL_RCSID(), requested by and okay xtraeme@. 2006-09-08 21:57:38 +00:00
elad
5f7169ccb1 First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
  opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
  security model, called "bsd44". This is the default (and only) model we
  have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

  * There's a sample overlay model, sitting on-top of "bsd44", for
    fast experimenting with tweaking just a subset of an existing model.

    This is pretty cool because it's *really* straightforward to do stuff
    you had to use ugly hacks for until now...

  * And of course, documentation describing how to do the above for quick
    reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

	http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

  - Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
  - Checks 'securelevel' directly,
  - Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
2006-09-08 20:58:56 +00:00
elad
994bc68e9f Short-circuit calls to kauth_authorize_action() for a scope withtout any
listeners to always return "allow".

The idea is that it's not entirely unlikely that some vendors, or users,
will decide to load the security model as an LKM, and that can only
happen after at least mounting local file-systems. If we would not have
this fast-path, all authorization requests would be denied.

okay christos@
2006-09-02 20:10:24 +00:00
christos
cba8e50f44 From Elad:
Attached diff short-circuits kauth_authorize_action() if the request
comes from the kernel (NOCRED or FSCRED).

okay matt@
2006-08-20 15:05:14 +00:00
christos
c07e49883f Pretending to be Elad's keyboard:
Attached diff let's call kauth_register_scope() with a NULL default
listener. from tn2127:

"callback is the address of the listener callback function for this
scope; this becomes the scope's default listener. This parameter may be
NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is
assumed."
2006-08-16 17:57:26 +00:00
elad
14171f6143 make the sleepable assertion in #if 0 (with commented out LOCKDEBUG for
later) until we sort that stuff out.
2006-07-26 17:13:26 +00:00
ad
f474dceb13 Use the LWP cached credentials where sane. 2006-07-23 22:06:03 +00:00
elad
7e7591e119 if LOCKDEBUG, assert that we can sleep in kauth_authorize_action().
discussed with yamt@ on tech-kern.
2006-07-22 09:24:25 +00:00
ad
2af3d29e01 - Don't cast kauth_cred_t to (struct ucred *), just set pc_ucred = NULL.
- Fill ucred::cr_ref.
2006-07-17 14:47:02 +00:00
ad
55a5faa1ef - Only acquire cr_lock when changing cr_refcnt.
- When freeing, test the value of cr_refcnt from inside the lock perimiter.
- Change some uint16_t/uint32_t types to u_int.
- KASSERT(cr_refcnt > 0) in appropriate places.
- KASSERT(cr_refcnt == 1) when changing the credential.
2006-07-17 14:37:20 +00:00
elad
d9a7152c3e add KAUTH_GENERIC_CANSEE, which is like the KAUTH_PROCESS_CANSEE, only
for two kauth_cred_t rather than kauth_cred_t and struct proc *.

advise against using it in the man-page; it should be used only in cases
where we either don't have an object-specific op or when we can't easily
use one.
2006-07-16 20:10:11 +00:00
yamt
bfe8806772 kauth_cred_setgroups: fix an assertion. 2006-07-15 05:54:56 +00:00
dyoung
5174aa84b6 The UID_MAX limit is not enforced by syscalls such as setreuid(2),
so I remove the assertion uid >= 0 && uid <= UID_MAX.  This squashes
a bug where Quagga would panic my machine by passing a UID outside
the range [0, UID_MAX].

AFAICT, this restores the historical (pre-kauth) behavior.

It is likely that GIDs do not satisfy the assertion gid >= 0 &&
gid <= GID_MAX, so remove that, too.

Patch from elad.
2006-06-13 22:56:46 +00:00
yamt
f755e9e9b8 remove unnecessary arguments from kauth_authorize_process.
ie. make it similar to the one found in apple TN.
2006-06-13 13:56:50 +00:00