can copy directly to/from userspace.
Avoids exposing the implementation of the group list as an array to code
outside kern_auth.c.
compat code and man page need updating.
Exposed that the kauth code holds groups in an array, but removes some
of the knowledge of the maximum number of groups.
Allows the syscall code to copyin/out directly to/from the cred structure,
this save a lot of faffing about with malloc/free even when compat code
has to use 16bit groups.
(depracted some time ago) 'struct kinfo_proc' returned by sysctl.
Move the definitions to sys/syctl.h and rename in order to ensure all the
users are located.
implementation and meant to be used by security models to hook credential
related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(),
kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively)
and document it.
Add specificdata to credentials, and routines to register/deregister new
"keys", as well as set/get routines. This allows security models to add
their own private data to a kauth_cred_t.
The above two, combined, allow security models to control inheritance of
their own private data in credentials which is a requirement for doing
stuff like, I dunno, capabilities?
undocumented) and change logic in kauth_authorize_action() to only
allow an action if it wasn't explicitly allowed/denied and there are no
secmodels loaded.
Okay yamt@.
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
recent bugs introduced with the usage of kauth(9) in MD/device code.
While here, change the sanity checks to KASSERT(), because they're really
bugs we should fix if triggered.
It uses an authorization wrapper per device class on the system to
ensure type-safety.
For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.
Update documentation.
the logic in kauth_authorize_action() to use it.
When we try to authorize a request and the flag is FALSE, it means a
kernel was compiled with no listeners (or we're in very early boot stages),
and we always allow the request because it's likely to be coming from the
kernel itself or from loading an LKM with the security model (later on).
Assert that if the "listeners have been loaded" flag is FALSE, there are
really no listeners for the scope we're authorizing on.
When the flag is TRUE (ie., listeners have been loaded) but they were
later removed, creating a scope with no listeners, the request will be
denied further down.
This allows us to have the security model compiled outside the NetBSD
kernel and later loaded as an LKM, without fearing an attack will just
remove listeners we loaded earlier to create a "fail open" situation.
Input from yamt@, thorpej@, gdt@, dan@.
Okay yamt@, thorpej@.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.htmlhttp://mail-index.netbsd.org/tech-security/2006/03/24/0001.htmlhttp://mail-index.netbsd.org/tech-security/2006/04/18/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/05/15/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/08/01/0000.htmlhttp://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
listeners to always return "allow".
The idea is that it's not entirely unlikely that some vendors, or users,
will decide to load the security model as an LKM, and that can only
happen after at least mounting local file-systems. If we would not have
this fast-path, all authorization requests would be denied.
okay christos@
Attached diff let's call kauth_register_scope() with a NULL default
listener. from tn2127:
"callback is the address of the listener callback function for this
scope; this becomes the scope's default listener. This parameter may be
NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is
assumed."
- When freeing, test the value of cr_refcnt from inside the lock perimiter.
- Change some uint16_t/uint32_t types to u_int.
- KASSERT(cr_refcnt > 0) in appropriate places.
- KASSERT(cr_refcnt == 1) when changing the credential.
for two kauth_cred_t rather than kauth_cred_t and struct proc *.
advise against using it in the man-page; it should be used only in cases
where we either don't have an object-specific op or when we can't easily
use one.
so I remove the assertion uid >= 0 && uid <= UID_MAX. This squashes
a bug where Quagga would panic my machine by passing a UID outside
the range [0, UID_MAX].
AFAICT, this restores the historical (pre-kauth) behavior.
It is likely that GIDs do not satisfy the assertion gid >= 0 &&
gid <= GID_MAX, so remove that, too.
Patch from elad.