Commit Graph

62 Commits

Author SHA1 Message Date
ad
b07ec3fc38 Merge newlock2 to head. 2007-02-09 21:55:00 +00:00
plunky
e9dd2c35eb Add another hardwired exception to the SOCK_RAW / superuser rule, because
(PF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) sockets need to be accessable for
normal users.
2007-02-01 08:49:05 +00:00
elad
a78693aa19 Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.
2007-01-20 16:47:38 +00:00
elad
f266f9a5db Use secmodel_register() and secmodel_deregister(). 2007-01-16 11:53:00 +00:00
elad
2b3921e3e7 Implement secmodel_bsd44_start(), secmodel_bsd44_stop(), and
secmodel_overlay_start().
2007-01-16 00:11:39 +00:00
elad
0ac991a582 Avoid proc_uidmatch() for rlimits if p is curproc. 2007-01-15 17:47:06 +00:00
elad
d4e427ef80 '&securelevel' -> 'NULL', pointed out by cube@, thanks! 2007-01-15 11:58:00 +00:00
elad
a37f8a3813 Make 'securelevel' internal to the secmodel. 2007-01-10 11:20:20 +00:00
elad
de8fa4821d Make readable. 2007-01-09 16:19:27 +00:00
elad
76f1c03beb Remove advertising clause from all of my stuff. 2007-01-09 12:57:56 +00:00
elad
0ff4d47ce3 Fallthrough. 2007-01-05 13:21:53 +00:00
elad
faf71534b5 Add 'stop' routines to do the exact opposite of the 'start' routines for
'securelevel' and 'suser' parts of secmodel_bsd44.
2007-01-02 23:58:20 +00:00
elad
81fe5ba5fc Don't compile secmodel_start() if built as an LKM. 2007-01-02 23:47:09 +00:00
elad
5ef5c7c8ab Add prototypes for the sysctl(9) setup routines for LKMs only. 2007-01-02 23:35:37 +00:00
elad
9f1a7cc74f Don't leak listeners. 2007-01-02 23:30:29 +00:00
elad
89b1051729 Consistent naming in sysctl(9) setup routines. 2007-01-02 13:01:46 +00:00
elad
004947a094 Add missing break... 2007-01-02 12:15:52 +00:00
elad
9fc29b4efc Make the securelevel contained by not exposing the variable that keeps
it outside secmodel_bsd44_securelevel.c.
2007-01-02 11:46:44 +00:00
elad
d4e1860d1a Add KAUTH_SYSTEM_CHSYSFLAGS so we can get rid of the last three
securelevel references (ufs, ext2fs, tmpfs).

Intentionally undocumented.
2007-01-02 11:18:56 +00:00
elad
40894ca786 Need vnode.h here. 2007-01-02 11:06:29 +00:00
elad
a13160f423 Make mount(2) and unmount(2) use kauth(9) for security policy.
Okay yamt@.
2007-01-02 10:47:28 +00:00
elad
1e2869f580 Remove XXX comment about making 'securelevel' a static. 2006-12-31 10:38:18 +00:00
elad
92c473da20 Explicitly 'extern int securelevel;' in the sysctl(9) setup routine. 2006-12-31 10:36:44 +00:00
elad
4798cd2cab Support device scope. 2006-12-29 18:34:28 +00:00
elad
8764325d83 Refactor a bit the ptrace(2) code: first make the keep-kernel-stable
decisions, then have a kauth(9) call for security policy enforcement,
and only then proceed to processing each request.

Add a KAUTH_PROCESS_CANSEE call right after pfind(). This should really
be done differently, so mark it with XXX.
2006-12-27 10:02:46 +00:00
elad
504c71d9fe Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
2006-12-26 10:43:43 +00:00
elad
f02f51a039 PR/35226: Johann Franz: Problems with permissions in
/usr/pkg/emul/linux/proc .

Okay mlelstv@
2006-12-25 12:13:54 +00:00
elad
3d11477c94 Add requests indicating access to unmanaged memory for arm, pc532, powerpc,
sh3, sh5, and vax, and use them instead of KAUTH_GENERIC_ISSUSER.

Update documentation and example secmodel code.
2006-12-22 11:13:21 +00:00
elad
9033a922ea Don't allow anyone but the superuser to do 'ctl' on procfs nodes. 2006-12-19 10:07:00 +00:00
elad
238ad51d2d - moves 'nice' access semantics to secmodel code,
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
  allowed to view the target process' corename, stop flags, and
  rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
  KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
  and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.

okay yamt@

this is a pullup candidate.
2006-12-14 11:45:08 +00:00
elad
432c309931 Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.

Discussed on tech-security@ and tech-kern@. Okay tls@.
2006-12-02 03:10:42 +00:00
elad
8bb202af97 Move ktrace, ptrace, systrace, and procfs to use kauth(9).
First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.

Add secmodel back-end to handle each subsystem.
2006-11-28 17:27:09 +00:00
elad
f7fbd2e8b5 Add an XXX comment so we don't forget what we need to do here:
* XXX: This is bogus. We should be failing the request
* XXX: not only if this specific slice is mounted, but
* XXX: if it's on a disk with any other mounted slice.
2006-11-26 17:21:25 +00:00
elad
539403d985 Prevent iopl/ioperm in securelevel 1, not 2. 2006-11-22 20:57:52 +00:00
elad
4b316db1d1 Introduce KAUTH_REQ_MACHDEP_{ALPHA,X86}_UNMANAGEDMEM to handle access
to unmanaged memory.

These are the last two securelevel references in the MD code.
2006-11-22 12:12:51 +00:00
christos
168cd830d2 __unused removal on arguments; approved by core. 2006-11-16 01:32:37 +00:00
dyoung
af1a9920a0 Fix a regression in socket(2): in the BSD 4.4 security model, you
don't have to be the superuser to open a PF_ROUTE socket.

Now, 'route -n get default' works again.
2006-11-14 05:20:21 +00:00
elad
75451f036c Better VCHR handling. 2006-11-07 08:53:49 +00:00
elad
993da55808 simplify & fix logic in device/rawio/spec. 2006-11-06 02:02:18 +00:00
elad
03a082e7aa Oops, forgot to do this one in previous commit.
Pointed out by mjf@, thanks!
2006-11-04 15:36:37 +00:00
elad
63d078b99e Use KASSERT() as requested by yamt@. 2006-11-04 09:56:59 +00:00
elad
fe9e2303fd Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o
requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU.

Expose iskmemdev() through sys/conf.h.

okay yamt@
2006-11-04 09:30:00 +00:00
elad
52d8744717 Use integers, not pointers to integers, for KAUTH_REQ_NETWORK_SOCKET_OPEN.
Reminded by yamt@, thanks!
2006-10-30 16:53:48 +00:00
elad
adf8d7aab2 Introduce KAUTH_REQ_NETWORK_SOCKET_OPEN, to check if opening a socket is
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).

Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.

Documented and updated examples as well.
2006-10-25 22:49:22 +00:00
elad
d1b4b1326c oops, fix license. (hah!) 2006-10-24 11:53:12 +00:00
elad
305fe09181 Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,
used to manage network interfaces.

Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.
2006-10-20 23:10:33 +00:00
elad
fab05f403b Add a new ALTQ kauth(9) request, KAUTH_REQ_NETWORK_ALTQ_JOBS. 2006-10-20 22:02:54 +00:00
elad
8c494ca741 Introduce KAUTH_REQ_NETWORK_SOCKET_CANSEE. Since we're not gonna be having
credentials on sockets, at least not anytime soon, this is a way to check
if we can "look" at a socket. Later on when (and if) we do have socket
credentials, the interface usage remains the same because we pass the
socket.

This also fixes sysctl for inet/inet6 pcblist.
2006-10-13 15:39:18 +00:00
christos
4d595fd7b1 - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
2006-10-12 01:30:41 +00:00
elad
9ac35e8640 For raw disk requests, in case we don't have a vnode/device, use a
generic policy: always allow reading, allow writing in securelevel < 1
only.
2006-10-12 00:19:10 +00:00