Subject: Re: KAUTH_REQ_NETWORK_SOCKET_OPEN
To: Iain Hibbert <email@example.com>
From: Elad Efrat <elad@NetBSD.org>
Date: 02/01/2007 00:29:25
Iain Hibbert wrote:
>> I think the 4.4BSD model may as well get another hard-coded exception.
I agree with david here.
>> The rule "only root can create a raw socket, PF_ROUTE and PF_BLUETOOTH
>> sockets excepted" is a blunt instrument for enforcing a policy on
>> what packets a program can send and receive. It leads to risky
>> business like using a setuid program to send and receive innocuous
>> ICMP Echo packets. Going forwards, *perhaps* the granularity needs to
>> be finer---socket(PF_ICMP, SOCK_DGRAM, ICMP_ECHO), anyone?---or else
>> a different mechanism should enforce the policy (packet filter rules
>> applied to programs and processes?).
> I had a thought that rather than adding hardcoded values to the kauth
> request, if it took a pointer to the protosw instead of (domain, type,
> proto), there could be a PR_RESTRICT flag on specific protocols to lock
> them off.. (eg below)
I don't think this is the way to do it. this is another example of
forcing the design of the kpi because of a single secmodel.
you are not adding "hardcoded values to the kauth request". the request,
iiuc, remains the same, and you add a special case in the bsd44 secmodel
code -- like david already suggested.