Commit Graph

149 Commits

Author SHA1 Message Date
elad
190f3232cd Use the socket credentials, now that we have them, instead of uidinfo. 2009-12-29 04:25:30 +00:00
elad
dadcd7355c Rename KAUTH_GENERIC_CANSEE to KAUTH_GENERIC_UNUSED1 and remove handling for
the former.

(I'll remove it from the header next time a kernel version bump happens.)
2009-12-24 19:02:07 +00:00
stacktic
c461e11537 Fixed security.models.suser.curtain to deny when uid does not match.
OK pooka@
2009-11-18 09:47:18 +00:00
elad
1570e68c40 - Move kauth_init() a little bit higher.
- Add spec_init() to authorize special device actions (and passthru too for
  the time being). Move policy out of secmodel_suser.
2009-11-14 18:36:56 +00:00
cegger
570ca15b16 buildfix: define integer before use. i386 ALL kernel builds again 2009-10-19 08:20:21 +00:00
elad
c8cfab9333 Extract usermount policy to its own routine. 2009-10-07 01:31:41 +00:00
elad
1e17e53958 Compare against initproc, not pid 1, to check if it's init (unify). 2009-10-07 01:06:57 +00:00
elad
2cb56be586 Add a (weak aliased) machdep_init() as a place to do machdep initialization
that can't happen as early as the other init functions as called from
cpu_startup() -- for example, register kauth(9) listeners.

Put unprivileged policy in the x86 code; used by i386, amd64, and xen.
2009-10-06 21:07:05 +00:00
elad
14dd40c754 Allow root to do things that the subsystem allows as well (unify).
This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.
2009-10-06 20:34:22 +00:00
elad
0bef641c61 Unify: >= 0 -> > -1. 2009-10-06 05:03:58 +00:00
elad
ce7ff2b92d Cosmetic changes to declarations. No functional change. 2009-10-06 05:01:51 +00:00
elad
756638cf95 Factor out a block of code that appears in three places (Veriexec, keylock,
and securelevel) so that others can use it as well.
2009-10-06 04:28:10 +00:00
elad
4c9fcb77c3 - Add usermount_common_policy() that implements some common (everything
but access control) user mounting policies: enforced MNT_NOSUID and
  MNT_NODEV, no MNT_EXPORT, MNT_EXEC propagation. This can be useful for
  secmodels that are interested in simply adding finer grained user mount
  support.

- Add a mount subsystem listener for KAUTH_REQ_SYSTEM_MOUNT_GET.
2009-10-05 04:20:13 +00:00
elad
a39251ecc2 Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.

Replace open-coded form with it in secmodel code (securelevel, keylock).

Note: I need to find a way to make secmodel_keylock.c ~<100 lines.
2009-10-03 20:48:42 +00:00
elad
5b3a96a24d Move KAUTH_NETWORK_BIND::KAUTH_REQ_NETWORK_BIND_PORT policy back to the
subsystem (or close to it).

Note: Revisit KAUTH_REQ_NETWORK_BIND_PRIVPORT.
2009-10-03 03:59:39 +00:00
elad
82ce55ed44 Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem.

Note: Consider killing the signal listener and sticking
      KAUTH_PROCESS_SIGNAL here as well.
2009-10-03 03:38:31 +00:00
elad
e62043d705 One less include. 2009-10-03 03:02:55 +00:00
elad
eab999856c Make this file a little bit smaller by collapsing cases. 2009-10-03 02:06:11 +00:00
elad
0dd621a02d Move clockctl policy exception back to the subsystem. 2009-10-03 02:01:12 +00:00
elad
0a0bbb40a7 secmodel_bsd44_curtain -> secmodel_suser_curtain (static). 2009-10-03 01:52:14 +00:00
elad
cee5cd7dd4 Move default network interface policy back to the subsystem. 2009-10-03 01:46:39 +00:00
elad
111de3833c Finish moving socket policy to the subsystem. 2009-10-03 01:41:39 +00:00
elad
452ced03bd Move sched policy back to the subsystem. 2009-10-03 01:30:25 +00:00
elad
6991fd9ea2 Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.
2009-10-03 00:37:01 +00:00
elad
212f5fa214 Move kevent policy back to the subsystem. 2009-10-03 00:14:07 +00:00
elad
abc7a4290b Put module loading policy back in the subsystem.
Revisit: consider moving kauth_init() above module_init() in main().
2009-10-03 00:06:37 +00:00
elad
1f98cab201 Put the tty opening policy back in the subsystem.
Remove include we don't need from the secmodel code.
2009-10-02 23:58:53 +00:00
elad
510083464f Move some of the socket policy back to the subsystem.
Remove include we don't need in the secmodel code.
2009-10-02 23:50:16 +00:00
elad
8751f894d8 Put signal delivery policy back in the subsystem. 2009-10-02 23:24:15 +00:00
elad
c2ba1b2a75 Remove includes we don't need. 2009-10-02 23:18:12 +00:00
elad
9f0d81cf10 Move routing socket security policy back to the subsystem. 2009-10-02 23:16:21 +00:00
elad
198c6aa6f5 - Squeeze function declarations where possible,
- KAUTH_RESULT_DEFER is the default (set at the beginning of each listener)
  and as such does not need to be set explicitly in the switches.
2009-10-02 23:06:33 +00:00
elad
51f0d6a0eb Put procfs policy back in the subsystem. 2009-10-02 23:00:02 +00:00
elad
09f3ac9e2f Stick nice policy in its own subsystem and call the listener "resource"
rather than "rlimit"...
2009-10-02 22:46:18 +00:00
elad
bcc5014bd0 Move rlimit policy back to the subsystem.
For this we needed proc_uidmatch() exposed, which makes a lot of sense,
so put it back in sys_process.c for use in other places as well.
2009-10-02 22:38:45 +00:00
elad
2ae3a70827 Move ptrace's security policy back to the subsystem itself.
Add a ptrace_init() so we have a place to register the listener; called
next to ktrinit().
2009-10-02 22:18:56 +00:00
elad
9a472060de Let the ipkdb subsystem allow operations related to it rather than wrongly
doing so in the suser secmodel.
2009-10-02 22:05:52 +00:00
elad
40cc528a28 Move psets security policy back to the subsystem and keep suser logic only
in the suser secmodel code.
2009-10-02 21:56:28 +00:00
elad
932cd15f91 Move ktrace's subsystem security policy to the subsystem itself, and keep
just the suser-related logic in the suser secmodel.
2009-10-02 21:47:35 +00:00
elad
780232ccbf Create securelevel variable under securelevel node. 2009-10-02 20:15:07 +00:00
elad
4e583a9ca6 Remove secmodel.h, forgotten in previous commit:
http://mail-index.netbsd.org/source-changes/2009/10/02/msg001437.html
2009-10-02 19:41:45 +00:00
elad
53ca19a3b3 First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
    and directory, pending even more cleanups. For revision history
    purposes, the original location of the files was

        src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
        src/sys/secmodel/bsd44/suser.h

  - Add a man-page for secmodel_suser(9) and update the one for
    secmodel_bsd44(9).

  - Add a "secmodel" module class and use it. Userland program and
    documentation updated.

  - Manage secmodel count (nsecmodels) through the module framework.
    This eliminates the need for secmodel_{,de}register() calls in
    secmodel code.

  - Prepare for secmodel modularization by adding relevant module bits.
    The secmodels don't allow auto unload. The bsd44 secmodel depends
    on the suser and securelevel secmodels. The overlay secmodel depends
    on the bsd44 secmodel. As the module class is only cosmetic, and to
    prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
    "secmodel_".

  - Adapt the overlay secmodel to recent changes (mainly vnode scope).

  - Stop using link-sets for the sysctl node(s) creation.

  - Keep sysctl variables under nodes of their relevant secmodels. In
    other words, don't create duplicates for the suser/securelevel
    secmodels under the bsd44 secmodel, as the latter is merely used
    for "grouping".

  - For the suser and securelevel secmodels, "advertise presence" in
    relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).

  - Get rid of the LKM preprocessor stuff.

  - As secmodels are now modules, there's no need for an explicit call
    to secmodel_start(); it's handled by the module framework. That
    said, the module framework was adjusted to properly load secmodels
    early during system startup.

  - Adapt rump to changes: Instead of using empty stubs for securelevel,
    simply use the suser secmodel. Also replace secmodel_start() with a
    call to secmodel_suser_start().

  - 5.99.20.

Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).

Mailing list reference:

	http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
2009-10-02 18:50:12 +00:00
elad
a162140107 Implement the vnode scope and adapt tmpfs to use it.
Mailing list reference:

	http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
2009-09-03 04:45:27 +00:00
mbalmer
385b2e3631 Move the keylock.h header from sys/sys to sys/dev where it really belongs.
Add keylock options to the ALL kernel configuration.
2009-08-15 09:43:58 +00:00
mbalmer
3ab4ce4739 Add support for multi-position electro-mechanical keylocks. An example
driver, gpiolock(4), is provided as an example how to interface real hardware.
A new securemodel, securemodel_keylock, is provided to show how this can
be used to tie keylocks to overall system security.  This is experimental
code.  The diff has been on tech-kern for several weeks.

Reviewed by many, kauth(9) integration reviewed by Elad Efrat; approved by
tonnerre@ and tron@.  Thanks to everyone who provided feedback.
2009-08-14 21:17:21 +00:00
plunky
4f6ac13367 reduce the number of KAUTH_DEVICE_BLUETOOTH_SEND/RECV requests
by passing the packet type as an argument rather than having
a different request for each type.

(from a suggestion by mrg)
2009-08-10 20:22:06 +00:00
plunky
80c6ec5db1 remove last usage of KAUTH_ISSUSER in bluetooth code by adding
some requests to the device scope:

	KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND
	KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND
	KAUTH_DEVICE_BLUETOOTH_RECV_EVENT
	KAUTH_DEVICE_BLUETOOTH_RECV_DATA

and a listener tied to the HCI protocol that will approve the basic
minimum to be sent and received.

handle the requests in the bsd44_suser listener by approving all
when the credential is root.
2009-08-10 18:25:20 +00:00
mbalmer
245a298f10 Extend the existing security models for upcoming gpio(4) changes.
Reviewed and feedback by Elad Efrat.
2009-07-25 16:08:02 +00:00
elad
17c0c1e672 Add and use a network scope action/request for tun(4), similar to ppp(4),
sl(4), and strip(4).
2009-05-08 11:09:43 +00:00
elad
9e9887cc59 Introduce several actions/requests for authorizing file-system related
operations, specifically quota and block allocation from reserved space.

Modify ufs_quotactl() to accomodate passing "mp" earlier by vfs_busy()ing
it a little bit higher.

Mailing list reference:

	http://mail-index.netbsd.org/tech-kern/2009/04/26/msg004936.html

Note that the umapfs request mentioned in this thread was NOT added as
there is still on-going discussion regarding the proper implementation.
2009-05-07 19:26:08 +00:00