Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Implement the register/deregister/evaluation API for sec...
details: https://anonhg.NetBSD.org/src/rev/6c7659c41d16
branches: trunk
changeset: 771864:6c7659c41d16
user: jym <jym%NetBSD.org@localhost>
date: Sun Dec 04 19:24:58 2011 +0000
description:
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
diffstat:
sys/kern/init_main.c | 8 +-
sys/kern/kern_auth.c | 34 +-
sys/kern/kern_module.c | 11 +-
sys/rump/librump/rumpkern/Makefile.rumpkern | 4 +-
sys/rump/librump/rumpkern/rump.c | 6 +-
sys/secmodel/bsd44/bsd44.h | 5 +-
sys/secmodel/bsd44/files.bsd44 | 4 +-
sys/secmodel/bsd44/secmodel_bsd44.c | 24 +-
sys/secmodel/extensions/extensions.h | 35 +
sys/secmodel/extensions/files.extensions | 5 +
sys/secmodel/extensions/secmodel_extensions.c | 456 ++++++++++++++++++++++++
sys/secmodel/files.secmodel | 9 +-
sys/secmodel/keylock/secmodel_keylock.c | 17 +-
sys/secmodel/overlay/overlay.h | 5 +-
sys/secmodel/overlay/secmodel_overlay.c | 24 +-
sys/secmodel/secmodel.c | 271 ++++++++++++++
sys/secmodel/secmodel.h | 63 +++
sys/secmodel/securelevel/secmodel_securelevel.c | 38 +-
sys/secmodel/securelevel/securelevel.h | 5 +-
sys/secmodel/suser/secmodel_suser.c | 190 ++-------
sys/secmodel/suser/suser.h | 5 +-
sys/sys/kauth.h | 10 +-
22 files changed, 1020 insertions(+), 209 deletions(-)
diffs (truncated from 1835 to 300 lines):
diff -r 892f10798fa3 -r 6c7659c41d16 sys/kern/init_main.c
--- a/sys/kern/init_main.c Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/kern/init_main.c Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: init_main.c,v 1.437 2011/11/19 22:51:25 tls Exp $ */
+/* $NetBSD: init_main.c,v 1.438 2011/12/04 19:24:58 jym Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.437 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.438 2011/12/04 19:24:58 jym Exp $");
#include "opt_ddb.h"
#include "opt_ipsec.h"
@@ -211,6 +211,8 @@
#include <sys/pax.h>
#endif /* PAX_MPROTECT || PAX_SEGVGUARD || PAX_ASLR */
+#include <secmodel/secmodel.h>
+
#include <ufs/ufs/quota.h>
#include <miscfs/genfs/genfs.h>
@@ -346,6 +348,8 @@
/* Initialize the kernel authorization subsystem. */
kauth_init();
+ secmodel_init();
+
spec_init();
/*
diff -r 892f10798fa3 -r 6c7659c41d16 sys/kern/kern_auth.c
--- a/sys/kern/kern_auth.c Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/kern/kern_auth.c Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_auth.c,v 1.65 2009/12/31 02:20:36 elad Exp $ */
+/* $NetBSD: kern_auth.c,v 1.66 2011/12/04 19:24:58 jym Exp $ */
/*-
* Copyright (c) 2006, 2007 The NetBSD Foundation, Inc.
@@ -54,7 +54,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.65 2009/12/31 02:20:36 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.66 2011/12/04 19:24:58 jym Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -70,11 +70,13 @@
#include <sys/specificdata.h>
#include <sys/vnode.h>
+#include <secmodel/secmodel.h>
+
/*
* Secmodel-specific credentials.
*/
struct kauth_key {
- const char *ks_secmodel; /* secmodel */
+ secmodel_t ks_secmodel; /* secmodel */
specificdata_key_t ks_key; /* key */
};
@@ -145,8 +147,6 @@
static kauth_scope_t kauth_builtin_scope_cred;
static kauth_scope_t kauth_builtin_scope_vnode;
-static unsigned int nsecmodels = 0;
-
static specificdata_domain_t kauth_domain;
static pool_cache_t kauth_cred_cache;
@@ -507,7 +507,7 @@
}
int
-kauth_register_key(const char *secmodel, kauth_key_t *result)
+kauth_register_key(secmodel_t secmodel, kauth_key_t *result)
{
kauth_key_t k;
specificdata_key_t key;
@@ -993,7 +993,7 @@
if (r == KAUTH_RESULT_ALLOW)
return (0);
- if (!nsecmodels)
+ if (secmodel_nsecmodels() == 0)
return (0);
return (EPERM);
@@ -1141,23 +1141,3 @@
return (r);
}
-
-void
-secmodel_register(void)
-{
- KASSERT(nsecmodels + 1 != 0);
-
- rw_enter(&kauth_lock, RW_WRITER);
- nsecmodels++;
- rw_exit(&kauth_lock);
-}
-
-void
-secmodel_deregister(void)
-{
- KASSERT(nsecmodels != 0);
-
- rw_enter(&kauth_lock, RW_WRITER);
- nsecmodels--;
- rw_exit(&kauth_lock);
-}
diff -r 892f10798fa3 -r 6c7659c41d16 sys/kern/kern_module.c
--- a/sys/kern/kern_module.c Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/kern/kern_module.c Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_module.c,v 1.85 2011/11/28 03:13:31 jnemeth Exp $ */
+/* $NetBSD: kern_module.c,v 1.86 2011/12/04 19:24:59 jym Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.85 2011/11/28 03:13:31 jnemeth Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_module.c,v 1.86 2011/12/04 19:24:59 jym Exp $");
#define _MODULE_INTERNAL
@@ -795,8 +795,6 @@
if (modp != NULL) {
*modp = mod;
}
- if (mi->mi_class == MODULE_CLASS_SECMODEL)
- secmodel_register();
module_enqueue(mod);
return 0;
}
@@ -1071,9 +1069,6 @@
goto fail;
}
- if (mi->mi_class == MODULE_CLASS_SECMODEL)
- secmodel_register();
-
/*
* Good, the module loaded successfully. Put it onto the
* list and add references to its requisite modules.
@@ -1150,8 +1145,6 @@
error);
return error;
}
- if (mod->mod_info->mi_class == MODULE_CLASS_SECMODEL)
- secmodel_deregister();
module_count--;
TAILQ_REMOVE(&module_list, mod, mod_chain);
for (i = 0; i < mod->mod_nrequired; i++) {
diff -r 892f10798fa3 -r 6c7659c41d16 sys/rump/librump/rumpkern/Makefile.rumpkern
--- a/sys/rump/librump/rumpkern/Makefile.rumpkern Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/rump/librump/rumpkern/Makefile.rumpkern Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.rumpkern,v 1.113 2011/11/27 00:38:12 tsutsui Exp $
+# $NetBSD: Makefile.rumpkern,v 1.114 2011/12/04 19:24:59 jym Exp $
#
.include "${RUMPTOP}/Makefile.rump"
@@ -12,6 +12,7 @@
${RUMPTOP}/../uvm \
${RUMPTOP}/../conf \
${RUMPTOP}/../dev \
+ ${RUMPTOP}/../secmodel \
${RUMPTOP}/../secmodel/suser \
${RUMPTOP}/../compat/common
@@ -109,6 +110,7 @@
SRCS+= uvm_aobj.c uvm_readahead.c uvm_object.c
# 4.4BSD secmodel. selection is hardcoded for now
+SRCS+= secmodel.c
SRCS+= secmodel_suser.c
# the funny bit. this doesn't really belong here, but helps with the
diff -r 892f10798fa3 -r 6c7659c41d16 sys/rump/librump/rumpkern/rump.c
--- a/sys/rump/librump/rumpkern/rump.c Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/rump/librump/rumpkern/rump.c Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rump.c,v 1.237 2011/12/01 19:15:15 tls Exp $ */
+/* $NetBSD: rump.c,v 1.238 2011/12/04 19:24:59 jym Exp $ */
/*
* Copyright (c) 2007-2011 Antti Kantee. All Rights Reserved.
@@ -26,7 +26,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rump.c,v 1.237 2011/12/01 19:15:15 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rump.c,v 1.238 2011/12/04 19:24:59 jym Exp $");
#include <sys/systm.h>
#define ELFSIZE ARCH_ELFSIZE
@@ -314,6 +314,8 @@
kauth_init();
+ secmodel_init();
+
/*
* Create the kernel cprng. Yes, it's currently stubbed out
* to arc4random() for RUMP, but this won't always be so.
diff -r 892f10798fa3 -r 6c7659c41d16 sys/secmodel/bsd44/bsd44.h
--- a/sys/secmodel/bsd44/bsd44.h Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/secmodel/bsd44/bsd44.h Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bsd44.h,v 1.5 2009/10/02 18:50:13 elad Exp $ */
+/* $NetBSD: bsd44.h,v 1.6 2011/12/04 19:25:00 jym Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -29,6 +29,9 @@
#ifndef _SECMODEL_BSD44_BSD44_H_
#define _SECMODEL_BSD44_BSD44_H_
+#define SECMODEL_BSD44_ID "org.netbsd.secmodel.bsd44"
+#define SECMODEL_BSD44_NAME "Traditional NetBSD: 4.4BSD"
+
void secmodel_bsd44_init(void);
void secmodel_bsd44_start(void);
void secmodel_bsd44_stop(void);
diff -r 892f10798fa3 -r 6c7659c41d16 sys/secmodel/bsd44/files.bsd44
--- a/sys/secmodel/bsd44/files.bsd44 Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/secmodel/bsd44/files.bsd44 Sun Dec 04 19:24:58 2011 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: files.bsd44,v 1.3 2009/10/02 18:50:13 elad Exp $
+# $NetBSD: files.bsd44,v 1.4 2011/12/04 19:25:00 jym Exp $
defflag secmodel_bsd44_logic
-defflag secmodel_bsd44 : secmodel_bsd44_logic, secmodel_suser, secmodel_securelevel
+defflag secmodel_bsd44 : secmodel_bsd44_logic, secmodel_suser, secmodel_securelevel, secmodel_extensions
file secmodel/bsd44/secmodel_bsd44.c secmodel_bsd44
diff -r 892f10798fa3 -r 6c7659c41d16 sys/secmodel/bsd44/secmodel_bsd44.c
--- a/sys/secmodel/bsd44/secmodel_bsd44.c Sun Dec 04 18:34:20 2011 +0000
+++ b/sys/secmodel/bsd44/secmodel_bsd44.c Sun Dec 04 19:24:58 2011 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44.c,v 1.14 2011/11/28 22:28:33 jym Exp $ */
+/* $NetBSD: secmodel_bsd44.c,v 1.15 2011/12/04 19:25:00 jym Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44.c,v 1.14 2011/11/28 22:28:33 jym Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44.c,v 1.15 2011/12/04 19:25:00 jym Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -41,9 +41,11 @@
#include <secmodel/bsd44/bsd44.h>
#include <secmodel/suser/suser.h>
#include <secmodel/securelevel/securelevel.h>
+#include <secmodel/extensions/extensions.h>
-MODULE(MODULE_CLASS_SECMODEL, secmodel_bsd44, "suser,securelevel");
+MODULE(MODULE_CLASS_SECMODEL, secmodel_bsd44, "suser,securelevel,extensions");
+static secmodel_t bsd44_sm;
static struct sysctllog *sysctl_bsd44_log;
void
@@ -72,7 +74,8 @@
sysctl_createv(clog, 0, &rnode, NULL,
CTLFLAG_PERMANENT,
CTLTYPE_STRING, "name", NULL,
- NULL, 0, __UNCONST("Traditional NetBSD (derived from 4.4BSD)"), 0,
+ NULL, 0,
+ __UNCONST(SECMODEL_BSD44_NAME), 0,
CTL_CREATE, CTL_EOL);
}
@@ -101,6 +104,14 @@
switch (cmd) {
case MODULE_CMD_INIT:
+
+ error = secmodel_register(&bsd44_sm,
+ SECMODEL_BSD44_ID, SECMODEL_BSD44_NAME,
+ NULL, NULL, NULL);
+ if (error != 0)
+ printf("secmodel_bsd44_modcmd::init: "
Home |
Main Index |
Thread Index |
Old Index