tech-security: Upcoming security model abstraction

Subject: Upcoming security model abstraction
To: None <tech-kern@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 08/25/2006 01:42:46
Hi,

Recently I've been working on abstracting NetBSD's security model
to its own set of kauth(9) listeners. There's code for the listeners,
as well as initial diff for replacing the KAUTH_GENERIC_ISSUSER
requests with something more specific.

Due to it being spread across multiple files and quite big in size, I've
placed it all online:

	http://www.bsd.org.il/netbsd/secmodel/

The idea is that we'll have a new directory under src/sys, called
'secmodel'. Each security model we ship (for now there are no plans to
ship anything other than the one we have now, don't worry :) will be
under its own directory. The default one is called "bsd44".

The files suser.[ch] and securelevel.[ch] implement the superuser
and securelevel implications, respectively. You can see how easy it is
to inspect the model -- it's all centralized in one easy to read file.

Some questions that you may have:
Q: What are the implications of this change for normal users?
A: None. Lots of work was put into making this completely transparent.

Q: What are the implications of this change for developers?
A: Several:
     - You are very strongly discouraged from adding code that uses
       KAUTH_GENERIC_ISSUSER requests or checks 'securelevel' directly,
     - You are very strongly discouraged from directly comparing
       user/group-ids as means for authorization.

Q: How do we know these changes don't break anything? or change
   behavior?
A: You can take a look at the code and diff yourself, it's pretty small
   right now. Also, efforts are done to write a regression test-suite,
   which will be used to evaluate the consistency of the changes before
   commiting. The regression test-suite will also be publicly available.

Q: What other security models are you going to add?
A: None. When (and if) I will, you can expect a detailed post with the
   suggested design.

Q: When are you going to commit this?
A: Probably a week or two from now.

Q: Where are man-page updates?
A: Working on it. :) No code will be commited without man-page updates.

Q: Will there be documentation on how to write new security models?
A: Yes, once we're done with the abstraction.

Please CC me on replies.

-e.

-- 
Elad Efrat