Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmode...

details:   https://anonhg.NetBSD.org/src/rev/23771dc7163e
branches:  trunk
changeset: 361358:23771dc7163e
user:      alnsn <alnsn%NetBSD.org@localhost>
date:      Thu Apr 26 18:54:09 2018 +0000

description:
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).

Disabling SVS is denied at securelevel 1 and above.

diffstat:

 sys/arch/x86/x86/svs.c                          |  15 +++++++++------
 sys/secmodel/securelevel/secmodel_securelevel.c |   9 +++++++--
 sys/secmodel/suser/secmodel_suser.c             |   5 +++--
 sys/sys/kauth.h                                 |   5 +++--
 4 files changed, 22 insertions(+), 12 deletions(-)

diffs (119 lines):

diff -r 46b26e8518dc -r 23771dc7163e sys/arch/x86/x86/svs.c
--- a/sys/arch/x86/x86/svs.c    Thu Apr 26 18:33:02 2018 +0000
+++ b/sys/arch/x86/x86/svs.c    Thu Apr 26 18:54:09 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: svs.c,v 1.17 2018/03/30 19:58:05 maxv Exp $    */
+/*     $NetBSD: svs.c,v 1.18 2018/04/26 18:54:09 alnsn Exp $   */
 
 /*
  * Copyright (c) 2018 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: svs.c,v 1.17 2018/03/30 19:58:05 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: svs.c,v 1.18 2018/04/26 18:54:09 alnsn Exp $");
 
 #include "opt_svs.h"
 
@@ -38,6 +38,7 @@
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/cpu.h>
+#include <sys/kauth.h>
 #include <sys/sysctl.h>
 #include <sys/xcall.h>
 
@@ -737,11 +738,13 @@
                        error = 0;
                else
                        error = EOPNOTSUPP;
-       } else {
-               if (svs_enabled)
+       } else if (svs_enabled) {
+               error = kauth_authorize_machdep(kauth_cred_get(),
+                   KAUTH_MACHDEP_SVS_DISABLE, NULL, NULL, NULL, NULL);
+               if (!error)
                        error = svs_disable();
-               else
-                       error = 0;
+       } else {
+               error = 0;
        }
 
        return error;
diff -r 46b26e8518dc -r 23771dc7163e sys/secmodel/securelevel/secmodel_securelevel.c
--- a/sys/secmodel/securelevel/secmodel_securelevel.c   Thu Apr 26 18:33:02 2018 +0000
+++ b/sys/secmodel/securelevel/secmodel_securelevel.c   Thu Apr 26 18:54:09 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.30 2014/02/25 18:30:13 pooka Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.31 2018/04/26 18:54:09 alnsn Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.30 2014/02/25 18:30:13 pooka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.31 2018/04/26 18:54:09 alnsn Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@@ -494,6 +494,11 @@
                        result = KAUTH_RESULT_DENY;
                break;
 
+       case KAUTH_MACHDEP_SVS_DISABLE:
+               if (securelevel > 0)
+                       result = KAUTH_RESULT_DENY;
+               break;
+
        case KAUTH_MACHDEP_CPU_UCODE_APPLY:
                if (securelevel > 1)
                        result = KAUTH_RESULT_DENY;
diff -r 46b26e8518dc -r 23771dc7163e sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c       Thu Apr 26 18:33:02 2018 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c       Thu Apr 26 18:54:09 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.43 2017/06/14 17:48:41 maxv Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.44 2018/04/26 18:54:09 alnsn Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.43 2017/06/14 17:48:41 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.44 2018/04/26 18:54:09 alnsn Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -854,6 +854,7 @@
        case KAUTH_MACHDEP_UNMANAGEDMEM:
        case KAUTH_MACHDEP_PXG:
        case KAUTH_MACHDEP_X86PMC:
+       case KAUTH_MACHDEP_SVS_DISABLE:
                if (isroot)
                        result = KAUTH_RESULT_ALLOW;
                break;
diff -r 46b26e8518dc -r 23771dc7163e sys/sys/kauth.h
--- a/sys/sys/kauth.h   Thu Apr 26 18:33:02 2018 +0000
+++ b/sys/sys/kauth.h   Thu Apr 26 18:54:09 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.75 2017/08/28 00:46:07 kamil Exp $ */
+/* $NetBSD: kauth.h,v 1.76 2018/04/26 18:54:09 alnsn Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>  
@@ -320,7 +320,8 @@
        KAUTH_MACHDEP_NVRAM,
        KAUTH_MACHDEP_UNMANAGEDMEM,
        KAUTH_MACHDEP_PXG,
-       KAUTH_MACHDEP_X86PMC
+       KAUTH_MACHDEP_X86PMC,
+       KAUTH_MACHDEP_SVS_DISABLE
 };
 
 /*
Home | Main Index | Thread Index | Old Index