tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Vnode scope implementation
Hey,
Attached is the latest version of the vnode scope implementation. It
adds the necessary back-end, as well as integration with tmpfs.
One important change that is new is that fs_decision, although passed
to the authorization wrapper, is no longer passed to the listeners.
Instead, I have separated the listener decision aggregation code in
kauth_authorize_action() from the result translation, and now we have
kauth_authorize_action_internal() (static, of course), which does the
work of calling the listeners and returns one of three kauth(9) results
(allow, deny defer -- see the code). Kauth_authorize_action() calls it
and does the result translation (0, EPERM), taking "nsecmodels" into
account as before.
IMHO, this allows a much cleaner listener implementation: there's no
need to check the fs_decision and take it into account; the secmodel can
implement only what it's intended to (dholland@ might also appreciate
the lack of casting :).
The new kauth_authorize_action_internal() is used by the vnode scope
authorization wrapper similar to how kauth_authorize_action() uses it,
with the following differences:
- If the aggregated result is defer, instead of denying we return the
fs_decision, unless fs_decision is KAUTH_VNODE_REMOTEFS -- in which
case we "allow" (the file-system might itself deny, but we cannot).
- Because each file-system's access control is implemented internally
and not as a kauth(9) listener, we don't care about if no secmodels
have been loaded.
Everything else should be the same as previous versions.
Please take a moment to review at least the changes from previous
versions. :)
Thanks,
-e.
Index: sys/kern/kern_auth.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_auth.c,v
retrieving revision 1.63
diff -u -p -r1.63 kern_auth.c
--- sys/kern/kern_auth.c 16 Aug 2009 11:01:12 -0000 1.63
+++ sys/kern/kern_auth.c 28 Aug 2009 19:47:46 -0000
@@ -68,6 +68,7 @@ __KERNEL_RCSID(0, "$NetBSD: kern_auth.c,
#include <sys/sysctl.h> /* for pi_[p]cread */
#include <sys/atomic.h>
#include <sys/specificdata.h>
+#include <sys/vnode.h>
/*
* Secmodel-specific credentials.
@@ -142,6 +143,7 @@ static kauth_scope_t kauth_builtin_scope
static kauth_scope_t kauth_builtin_scope_machdep;
static kauth_scope_t kauth_builtin_scope_device;
static kauth_scope_t kauth_builtin_scope_cred;
+static kauth_scope_t kauth_builtin_scope_vnode;
static unsigned int nsecmodels = 0;
@@ -831,6 +833,10 @@ kauth_init(void)
/* Register device scope. */
kauth_builtin_scope_device = kauth_register_scope(KAUTH_SCOPE_DEVICE,
NULL, NULL);
+
+ /* Register vnode scope. */
+ kauth_builtin_scope_vnode = kauth_register_scope(KAUTH_SCOPE_VNODE,
+ NULL, NULL);
}
/*
@@ -924,11 +930,16 @@ kauth_unlisten_scope(kauth_listener_t li
* credential - credentials of the user ("actor") making the request.
* action - request identifier.
* arg[0-3] - passed unmodified to listener(s).
+ *
+ * Returns the aggregated result:
+ * - KAUTH_RESULT_ALLOW if there is at least one KAUTH_RESULT_ALLOW and
+ * zero KAUTH_DESULT_DENY
+ * - KAUTH_RESULT_DENY if there is at least one KAUTH_RESULT_DENY
+ * - KAUTH_RESULT_DEFER if there is nothing but KAUTH_RESULT_DEFER
*/
-int
-kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
- kauth_action_t action, void *arg0, void *arg1,
- void *arg2, void *arg3)
+static int
+kauth_authorize_action_internal(kauth_scope_t scope, kauth_cred_t cred,
+ kauth_action_t action, void *arg0, void *arg1, void *arg2, void *arg3)
{
kauth_listener_t listener;
int error, allow, fail;
@@ -958,16 +969,34 @@ kauth_authorize_action(kauth_scope_t sco
/* rw_exit(&kauth_lock); */
if (fail)
- return (EPERM);
+ return (KAUTH_RESULT_DENY);
if (allow)
+ return (KAUTH_RESULT_ALLOW);
+
+ return (KAUTH_RESULT_DEFER);
+};
+
+int
+kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
+ kauth_action_t action, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ int r;
+
+ r = kauth_authorize_action_internal(scope, cred, action, arg0, arg1,
+ arg2, arg3);
+
+ if (r == KAUTH_RESULT_DENY)
+ return (EPERM);
+
+ if (r == KAUTH_RESULT_ALLOW)
return (0);
if (!nsecmodels)
return (0);
return (EPERM);
-};
+}
/*
* Generic scope authorization wrapper.
@@ -1053,6 +1082,48 @@ kauth_authorize_device_passthru(kauth_cr
data, NULL));
}
+kauth_action_t
+kauth_mode_to_action(mode_t mode)
+{
+ kauth_action_t action = 0;
+
+ if (mode & VREAD)
+ action |= KAUTH_VNODE_READ_DATA;
+ if (mode & VWRITE)
+ action |= KAUTH_VNODE_WRITE_DATA;
+ if (mode & VEXEC)
+ action |= KAUTH_VNODE_EXECUTE;
+
+ return action;
+}
+
+int
+kauth_authorize_vnode(kauth_cred_t cred, kauth_action_t action,
+ struct vnode *vp, struct vnode *dvp, int fs_decision)
+{
+ int error;
+
+ error = kauth_authorize_action_internal(kauth_builtin_scope_vnode, cred,
+ action, vp, dvp, NULL, NULL);
+
+ if (error == KAUTH_RESULT_DENY)
+ return (EACCES);
+
+ if (error == KAUTH_RESULT_ALLOW)
+ return (0);
+
+ /*
+ * If the file-system does not support decision-before-action, we can
+ * only short-circuit the operation (deny). If we're here, it means no
+ * listener denied it, so our only alternative is to supposedly-allow
+ * it and let the file-system have the last word.
+ */
+ if (fs_decision == KAUTH_VNODE_REMOTEFS)
+ return (0);
+
+ return (fs_decision);
+}
+
static int
kauth_cred_hook(kauth_cred_t cred, kauth_action_t action, void *arg0,
void *arg1)
Index: sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.62
diff -u -p -r1.62 kauth.h
--- sys/sys/kauth.h 10 Aug 2009 20:22:06 -0000 1.62
+++ sys/sys/kauth.h 28 Aug 2009 19:47:46 -0000
@@ -67,6 +67,7 @@ typedef struct kauth_key *kauth_ke
#define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
#define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device"
#define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred"
+#define KAUTH_SCOPE_VNODE "org.netbsd.kauth.vnode"
/*
* Generic scope - actions.
@@ -285,6 +286,43 @@ enum {
};
/*
+ * Vnode scope - action bits.
+ */
+#define KAUTH_VNODE_READ_DATA (1U << 0)
+#define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA
+#define KAUTH_VNODE_WRITE_DATA (1U << 1)
+#define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA
+#define KAUTH_VNODE_EXECUTE (1U << 2)
+#define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE
+#define KAUTH_VNODE_DELETE (1U << 3)
+#define KAUTH_VNODE_APPEND_DATA (1U << 4)
+#define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA
+#define KAUTH_VNODE_READ_TIMES (1U << 5)
+#define KAUTH_VNODE_WRITE_TIMES (1U << 6)
+#define KAUTH_VNODE_READ_FLAGS (1U << 7)
+#define KAUTH_VNODE_WRITE_FLAGS (1U << 8)
+#define KAUTH_VNODE_READ_SYSFLAGS (1U << 9)
+#define KAUTH_VNODE_WRITE_SYSFLAGS (1U << 10)
+#define KAUTH_VNODE_RENAME (1U << 11)
+#define KAUTH_VNODE_CHANGE_OWNERSHIP (1U << 12)
+#define KAUTH_VNODE_READ_SECURITY (1U << 13)
+#define KAUTH_VNODE_WRITE_SECURITY (1U << 14)
+#define KAUTH_VNODE_READ_ATTRIBUTES (1U << 15)
+#define KAUTH_VNODE_WRITE_ATTRIBUTES (1U << 16)
+#define KAUTH_VNODE_READ_EXTATTRIBUTES (1U << 17)
+#define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1U << 18)
+
+#define KAUTH_VNODE_HAS_SYSFLAGS (1U << 30)
+#define KAUTH_VNODE_ACCESS (1U << 31)
+
+/*
+ * This is a special fs_decision indication that can be used by file-systems
+ * that don't support decision-before-action to tell kauth(9) it can only
+ * short-circuit the operation beforehand.
+ */
+#define KAUTH_VNODE_REMOTEFS (-1)
+
+/*
* Device scope, passthru request - identifiers.
*/
#define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001
@@ -326,6 +364,8 @@ int kauth_authorize_device_tty(kauth_cre
int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
struct vnode *);
int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
+int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *,
+ struct vnode *, int);
/* Kauth credentials management routines. */
kauth_cred_t kauth_cred_alloc(void);
@@ -373,6 +413,8 @@ int kauth_cred_uucmp(kauth_cred_t, const
void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *);
void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *);
+kauth_action_t kauth_mode_to_action(mode_t mode);
+
kauth_cred_t kauth_cred_get(void);
void kauth_proc_fork(struct proc *, struct proc *);
Index: sys/secmodel/securelevel/secmodel_securelevel.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/securelevel/secmodel_securelevel.c,v
retrieving revision 1.12
diff -u -p -r1.12 secmodel_securelevel.c
--- sys/secmodel/securelevel/secmodel_securelevel.c 25 Jul 2009 16:08:02
-0000 1.12
+++ sys/secmodel/securelevel/secmodel_securelevel.c 28 Aug 2009 19:47:47
-0000
@@ -56,7 +56,8 @@ __KERNEL_RCSID(0, "$NetBSD: secmodel_sec
static int securelevel;
-static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device;
+static kauth_listener_t l_system, l_process, l_network, l_machdep, l_device,
+ l_vnode;
/*
* sysctl helper routine for securelevel. ensures that the value
@@ -126,6 +127,8 @@ secmodel_securelevel_start(void)
secmodel_securelevel_machdep_cb, NULL);
l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
secmodel_securelevel_device_cb, NULL);
+ l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE,
+ secmodel_securelevel_vnode_cb, NULL);
}
#if defined(_LKM)
@@ -137,6 +140,7 @@ secmodel_securelevel_stop(void)
kauth_unlisten_scope(l_network);
kauth_unlisten_scope(l_machdep);
kauth_unlisten_scope(l_device);
+ kauth_unlisten_scope(l_vnode);
}
#endif /* _LKM */
@@ -545,3 +549,21 @@ secmodel_securelevel_device_cb(kauth_cre
return (result);
}
+
+int
+secmodel_securelevel_vnode_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+
+ if ((action & KAUTH_VNODE_WRITE_SYSFLAGS) &&
+ (action & KAUTH_VNODE_HAS_SYSFLAGS)) {
+ if (securelevel > 0)
+ result = KAUTH_RESULT_DENY;
+ }
+
+ return (result);
+}
+
Index: sys/secmodel/securelevel/securelevel.h
===================================================================
RCS file: /cvsroot/src/sys/secmodel/securelevel/securelevel.h,v
retrieving revision 1.1
diff -u -p -r1.1 securelevel.h
--- sys/secmodel/securelevel/securelevel.h 21 Nov 2007 22:49:09 -0000
1.1
+++ sys/secmodel/securelevel/securelevel.h 28 Aug 2009 19:47:47 -0000
@@ -49,5 +49,7 @@ int secmodel_securelevel_machdep_cb(kaut
void *, void *, void *, void *);
int secmodel_securelevel_device_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
+int secmodel_securelevel_vnode_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
#endif /* !_SECMODEL_SECURELEVEL_SECURELEVEL_H_ */
Index: sys/secmodel/bsd44/suser.h
===================================================================
RCS file: /cvsroot/src/sys/secmodel/bsd44/suser.h,v
retrieving revision 1.5
diff -u -p -r1.5 suser.h
--- sys/secmodel/bsd44/suser.h 3 May 2009 21:25:44 -0000 1.5
+++ sys/secmodel/bsd44/suser.h 28 Aug 2009 19:47:47 -0000
@@ -50,5 +50,7 @@ int secmodel_bsd44_suser_machdep_cb(kaut
void *, void *, void *, void *);
int secmodel_bsd44_suser_device_cb(kauth_cred_t, kauth_action_t, void *,
void *, void *, void *, void *);
+int secmodel_bsd44_suser_vnode_cb(kauth_cred_t, kauth_action_t, void *,
+ void *, void *, void *, void *);
#endif /* !_SECMODEL_BSD44_SUSER_H_ */
Index: sys/secmodel/bsd44/secmodel_bsd44_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c,v
retrieving revision 1.70
diff -u -p -r1.70 secmodel_bsd44_suser.c
--- sys/secmodel/bsd44/secmodel_bsd44_suser.c 10 Aug 2009 20:22:06 -0000
1.70
+++ sys/secmodel/bsd44/secmodel_bsd44_suser.c 28 Aug 2009 19:47:47 -0000
@@ -65,7 +65,7 @@ __KERNEL_RCSID(0, "$NetBSD: secmodel_bsd
extern int dovfsusermount;
static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep,
- l_device;
+ l_device, l_vnode;
void
secmodel_bsd44_suser_start(void)
@@ -82,6 +82,8 @@ secmodel_bsd44_suser_start(void)
secmodel_bsd44_suser_machdep_cb, NULL);
l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
secmodel_bsd44_suser_device_cb, NULL);
+ l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE,
+ secmodel_bsd44_suser_vnode_cb, NULL);
}
#if defined(_LKM)
@@ -94,6 +96,7 @@ secmodel_bsd44_suser_stop(void)
kauth_unlisten_scope(l_network);
kauth_unlisten_scope(l_machdep);
kauth_unlisten_scope(l_device);
+ kauth_unlisten_scope(l_vnode);
}
#endif /* _LKM */
@@ -1151,6 +1154,7 @@ secmodel_bsd44_suser_device_cb(kauth_cre
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
+
case KAUTH_DEVICE_GPIO_PINSET:
/*
* root can access gpio pins, secmodel_securlevel can veto
@@ -1159,6 +1163,7 @@ secmodel_bsd44_suser_device_cb(kauth_cre
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
+
default:
result = KAUTH_RESULT_DEFER;
break;
@@ -1166,3 +1171,20 @@ secmodel_bsd44_suser_device_cb(kauth_cre
return (result);
}
+
+int
+secmodel_bsd44_suser_vnode_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ bool isroot;
+ int result;
+
+ isroot = (kauth_cred_geteuid(cred) == 0);
+ result = KAUTH_RESULT_DEFER;
+
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+
+ return (result);
+}
+
Index: sys/fs/tmpfs/tmpfs_subr.c
===================================================================
RCS file: /cvsroot/src/sys/fs/tmpfs/tmpfs_subr.c,v
retrieving revision 1.53
diff -u -p -r1.53 tmpfs_subr.c
--- sys/fs/tmpfs/tmpfs_subr.c 7 May 2009 19:30:30 -0000 1.53
+++ sys/fs/tmpfs/tmpfs_subr.c 28 Aug 2009 19:47:48 -0000
@@ -964,6 +964,8 @@ tmpfs_chflags(struct vnode *vp, int flag
{
int error;
struct tmpfs_node *node;
+ kauth_action_t = KAUTH_VNODE_WRITE_FLAGS;
+ int fs_decision = 0;
KASSERT(VOP_ISLOCKED(vp));
@@ -973,30 +975,44 @@ tmpfs_chflags(struct vnode *vp, int flag
if (vp->v_mount->mnt_flag & MNT_RDONLY)
return EROFS;
- /* XXX: The following comes from UFS code, and can be found in
- * several other file systems. Shouldn't this be centralized
- * somewhere? */
- if (kauth_cred_geteuid(cred) != node->tn_uid &&
- (error = kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER,
- NULL)))
+ if (kauth_cred_geteuid(cred) != node->tn_uid)
+ fs_decision = EACCES;
+
+ /*
+ * If the new flags have non-user flags that are different than
+ * those on the node, we need special permission to change them.
+ */
+ if ((flags & SF_SETTABLE) != (node->tn_flags & SF_SETTABLE)) {
+ action |= KAUTH_VNODE_WRITE_SYSFLAGS;
+ if (!fs_decision)
+ fs_decision = EPERM;
+ }
+
+ /*
+ * Indicate that this node's flags have system attributes in them if
+ * that's the case.
+ */
+ if (node->tn_flags & (SF_IMMUTABLE | SF_APPEND)) {
+ action |= KAUTH_VNODE_HAS_SYSFLAGS;
+ }
+
+ error = kauth_authorize_vnode(cred, action, vp, NULL, fs_decision);
+ if (error)
return error;
- if (kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER, NULL) == 0) {
- /* The super-user is only allowed to change flags if the file
- * wasn't protected before and the securelevel is zero. */
- if ((node->tn_flags & (SF_IMMUTABLE | SF_APPEND)) &&
- kauth_authorize_system(l->l_cred, KAUTH_SYSTEM_CHSYSFLAGS,
- 0, NULL, NULL, NULL))
- return EPERM;
+
+ /*
+ * Set the flags. If we're not setting non-user flags, be careful not
+ * to overwrite them.
+ *
+ * XXX: Can't we always assign here? if the system flags are different,
+ * the code above should catch attempts to change them without
+ * proper permissions, and if we're here it means it's okay to
+ * change them...
+ */
+ if (action & KAUTH_VNODE_WRITE_SYSFLAGS) {
node->tn_flags = flags;
} else {
- /* Regular users can change flags provided they only want to
- * change user-specific ones, not those reserved for the
- * super-user. */
- if ((node->tn_flags & (SF_IMMUTABLE | SF_APPEND)) ||
- (flags & UF_SETTABLE) != flags)
- return EPERM;
- if ((node->tn_flags & SF_SETTABLE) != (flags & SF_SETTABLE))
- return EPERM;
+ /* Clear all user-settable flags and re-set them. */
node->tn_flags &= SF_SETTABLE;
node->tn_flags |= (flags & UF_SETTABLE);
}
@@ -1036,6 +1052,9 @@ tmpfs_chmod(struct vnode *vp, mode_t mod
error = genfs_can_chmod(vp, cred, node->tn_uid, node->tn_gid,
mode);
+
+ error = kauth_authorize_vnode(cred, KAUTH_VNODE_WRITE_SECURITY, vp,
+ NULL, error);
if (error)
return (error);
@@ -1087,6 +1106,9 @@ tmpfs_chown(struct vnode *vp, uid_t uid,
error = genfs_can_chown(vp, cred, node->tn_uid, node->tn_gid, uid,
gid);
+
+ error = kauth_authorize_vnode(cred, KAUTH_VNODE_CHANGE_OWNERSHIP, vp,
+ NULL, error);
if (error)
return (error);
@@ -1186,6 +1208,9 @@ tmpfs_chtimes(struct vnode *vp, const st
return EPERM;
error = genfs_can_chtimes(vp, vaflags, node->tn_uid, cred);
+
+ error = kauth_authorize_vnode(cred, KAUTH_VNODE_WRITE_TIMES, vp, NULL,
+ error);
if (error)
return (error);
Index: sys/fs/tmpfs/tmpfs_vnops.c
===================================================================
RCS file: /cvsroot/src/sys/fs/tmpfs/tmpfs_vnops.c,v
retrieving revision 1.61
diff -u -p -r1.61 tmpfs_vnops.c
--- sys/fs/tmpfs/tmpfs_vnops.c 3 Jul 2009 21:17:41 -0000 1.61
+++ sys/fs/tmpfs/tmpfs_vnops.c 28 Aug 2009 19:47:48 -0000
@@ -209,15 +209,31 @@ tmpfs_lookup(void *v)
if ((cnp->cn_flags & ISLASTCN) &&
(cnp->cn_nameiop == DELETE ||
cnp->cn_nameiop == RENAME)) {
+ kauth_action_t action = 0;
+
+ /* This is the file-system's decision. */
if ((dnode->tn_mode & S_ISTXT) != 0 &&
- kauth_authorize_generic(cnp->cn_cred,
- KAUTH_GENERIC_ISSUSER, NULL) != 0 &&
kauth_cred_geteuid(cnp->cn_cred) !=
dnode->tn_uid &&
kauth_cred_geteuid(cnp->cn_cred) !=
tnode->tn_uid)
- return EPERM;
- error = VOP_ACCESS(dvp, VWRITE, cnp->cn_cred);
+ error = EPERM;
+ else
+ error = 0;
+
+ /* Only bother if we're not already failing it.
*/
+ if (!error) {
+ error = VOP_ACCESS(dvp, VWRITE,
cnp->cn_cred);
+ }
+
+ if (cnp->cn_nameiop == DELETE)
+ action |= KAUTH_VNODE_DELETE;
+ else /* if (cnp->cn_nameiop == RENAME) */
+ action |= KAUTH_VNODE_RENAME;
+
+ error = kauth_authorize_vnode(cnp->cn_cred,
+ action, *vpp, dvp, error);
if (error != 0)
goto out;
+
cnp->cn_flags |= SAVENAME;
} else
de = NULL;
@@ -406,6 +422,9 @@ tmpfs_access(void *v)
error = tmpfs_check_permitted(vp, node, mode, cred);
+ error = kauth_authorize_vnode(cred, kauth_mode_to_action(mode), vp,
+ NULL, error);
+
out:
KASSERT(VOP_ISLOCKED(vp));
Home |
Main Index |
Thread Index |
Old Index