Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/secmodel/suser Allow root to do things that the subsyste...
details: https://anonhg.NetBSD.org/src/rev/e0eb90091a31
branches: trunk
changeset: 747954:e0eb90091a31
user: elad <elad%NetBSD.org@localhost>
date: Tue Oct 06 20:34:22 2009 +0000
description:
Allow root to do things that the subsystem allows as well (unify).
This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.
diffstat:
sys/secmodel/suser/secmodel_suser.c | 44 +++++++++++++++++++++++++++++++++++-
1 files changed, 42 insertions(+), 2 deletions(-)
diffs (100 lines):
diff -r 6513717b8640 -r e0eb90091a31 sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c Tue Oct 06 20:05:10 2009 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c Tue Oct 06 20:34:22 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.27 2009/10/05 04:20:13 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.28 2009/10/06 20:34:22 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.27 2009/10/05 04:20:13 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.28 2009/10/06 20:34:22 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -304,6 +304,14 @@
case KAUTH_SYSTEM_MOUNT:
switch (req) {
+ case KAUTH_REQ_SYSTEM_MOUNT_GET:
+ if (isroot) {
+ result = KAUTH_RESULT_ALLOW;
+ break;
+ }
+
+ break;
+
case KAUTH_REQ_SYSTEM_MOUNT_NEW: {
struct mount *mp = ((struct vnode *)arg1)->v_mount;
u_long flags = (u_long)arg2;
@@ -437,6 +445,20 @@
result = KAUTH_RESULT_ALLOW;
break;
+ case KAUTH_SYSTEM_DEBUG:
+ switch (req) {
+ case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+
+ break;
+
+ default:
+ break;
+ }
+
+ break;
+
case KAUTH_SYSTEM_CHSYSFLAGS:
/*
* Needs to be checked in conjunction with the immutable and
@@ -481,6 +503,7 @@
case KAUTH_PROCESS_PTRACE:
case KAUTH_PROCESS_SCHEDULER_GETPARAM:
case KAUTH_PROCESS_SCHEDULER_SETPARAM:
+ case KAUTH_PROCESS_SCHEDULER_GETAFFINITY:
case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
case KAUTH_PROCESS_SETID:
case KAUTH_PROCESS_KEVENT_FILTER:
@@ -600,6 +623,7 @@
case KAUTH_NETWORK_BIND:
switch (req) {
+ case KAUTH_REQ_NETWORK_BIND_PORT:
case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
@@ -610,6 +634,20 @@
}
break;
+ case KAUTH_NETWORK_FIREWALL:
+ switch (req) {
+ case KAUTH_REQ_NETWORK_FIREWALL_FW:
+ case KAUTH_REQ_NETWORK_FIREWALL_NAT:
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+
+ break;
+
+ default:
+ break;
+ }
+ break;
+
case KAUTH_NETWORK_FORWSRCRT:
case KAUTH_NETWORK_ROUTE:
if (isroot)
@@ -619,6 +657,8 @@
case KAUTH_NETWORK_INTERFACE:
switch (req) {
+ case KAUTH_REQ_NETWORK_INTERFACE_GET:
+ case KAUTH_REQ_NETWORK_INTERFACE_SET:
case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
if (isroot)
Home |
Main Index |
Thread Index |
Old Index