Subject: Re: KAUTH_REQ_NETWORK_SOCKET_OPEN
To: Iain Hibbert <plunky@rya-online.net>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 02/01/2007 00:29:25
Iain Hibbert wrote:

>> I think the 4.4BSD model may as well get another hard-coded exception.

I agree with david here.

>> The rule "only root can create a raw socket, PF_ROUTE and PF_BLUETOOTH
>> sockets excepted" is a blunt instrument for enforcing a policy on
>> what packets a program can send and receive.  It leads to risky
>> business like using a setuid program to send and receive innocuous
>> ICMP Echo packets.  Going forwards, *perhaps* the granularity needs to
>> be finer---socket(PF_ICMP, SOCK_DGRAM, ICMP_ECHO), anyone?---or else
>> a different mechanism should enforce the policy (packet filter rules
>> applied to programs and processes?).
> 
> I had a thought that rather than adding hardcoded values to the kauth
> request, if it took a pointer to the protosw instead of (domain, type,
> proto), there could be a PR_RESTRICT flag on specific protocols to lock
> them off..  (eg below)

I don't think this is the way to do it. this is another example of
forcing the design of the kpi because of a single secmodel.

you are not adding "hardcoded values to the kauth request". the request,
iiuc, remains the same, and you add a special case in the bsd44 secmodel
code -- like david already suggested.

-e.