On Sun, Feb 18, 2007 at 01:05:32PM -0800, Bill Studenmund wrote:
> On Sun, Feb 18, 2007 at 02:10:23PM +0000, David Laight wrote:
> > The kauth code seems to be full of wrapper functions.
> > 
> > In particular every peice of code that needs to look at one of the
> > process's uids ends up calling a function.
> > This might be reasonable for LKMs, but for code that is linked into the
> > main kernel image rather OTT.
> 
> That's rather the point of kauth. It's supposed to be the only code area 
> that actually knows what a credential is, so that it can change them as 
> desired. If you want to know something, you have to ask it.

You are allowed to ask for the uids and gids, and a lot of code (for
compatibility reasons) has to make very specific comparisions between
the uids and gids before doing some actions.

With the kauth scheme you have NFI whether a some syscall code is doing
appropriate checks before doing some action - and you always require it
to request those checks - so the kauth code cannot enforce security that
wasn't there before.

For an example of the code I looking at, search for pfind() in
src/sys/compat/linux/common/linux_sched.c
where it does:
	  kauth_authorize_generic(pc, KAUTH_GENERIC_ISSUSER, NULL) == 0 ||
	  kauth_cred_getuid(pc) == kauth_cred_getuid(p->p_cred) ||
	  kauth_cred_geteuid(pc) == kauth_cred_getuid(p->p_cred) ||
	  kauth_cred_getuid(pc) == kauth_cred_geteuid(p->p_cred) ||
	  kauth_cred_geteuid(pc) == kauth_cred_geteuid(p->p_cred)))
This used to be simple structre indirecting...

It is possible that this is the same as KAUTH_PROCESS_CANSEE, but who knows.

There is similar code in other emulations - I merged the freebsd ones
into a common routine (local to the file) earlier.

	David

-- 
David Laight: david@l8s.co.uk