--fUYQa+Pmc3FrFX/N
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Feb 18, 2007 at 09:41:42PM +0000, David Laight wrote:
> On Sun, Feb 18, 2007 at 01:05:32PM -0800, Bill Studenmund wrote:
> > On Sun, Feb 18, 2007 at 02:10:23PM +0000, David Laight wrote:
> > > The kauth code seems to be full of wrapper functions.
> > >=20
> > > In particular every peice of code that needs to look at one of the
> > > process's uids ends up calling a function.
> > > This might be reasonable for LKMs, but for code that is linked into t=
he
> > > main kernel image rather OTT.
> >=20
> > That's rather the point of kauth. It's supposed to be the only code are=
a=20
> > that actually knows what a credential is, so that it can change them as=
=20
> > desired. If you want to know something, you have to ask it.
>=20
> You are allowed to ask for the uids and gids, and a lot of code (for
> compatibility reasons) has to make very specific comparisions between
> the uids and gids before doing some actions.

Like I said, the case is weaker for uid.

gid, however, I don't think you should be able to ask for. You belong to a=
=20
set of groups, and one big complaint of our (older) code is that said set=
=20
size was fixed. If instead you ask "is 'gid' one of my groups" then we can=
=20
sweep everything into the kauth code.

> With the kauth scheme you have NFI whether a some syscall code is doing
> appropriate checks before doing some action - and you always require it
> to request those checks - so the kauth code cannot enforce security that
> wasn't there before.
>=20
> For an example of the code I looking at, search for pfind() in
> src/sys/compat/linux/common/linux_sched.c
> where it does:
> 	  kauth_authorize_generic(pc, KAUTH_GENERIC_ISSUSER, NULL) =3D=3D 0 ||
> 	  kauth_cred_getuid(pc) =3D=3D kauth_cred_getuid(p->p_cred) ||
> 	  kauth_cred_geteuid(pc) =3D=3D kauth_cred_getuid(p->p_cred) ||
> 	  kauth_cred_getuid(pc) =3D=3D kauth_cred_geteuid(p->p_cred) ||
> 	  kauth_cred_geteuid(pc) =3D=3D kauth_cred_geteuid(p->p_cred)))
> This used to be simple structre indirecting...

I agree we can do better than that. And I thank you for pushing us towards=
=20
trying. :-)

The first is just read things into intermediate variables, then compare.=20
That way we make no more calls than needed.

The second thing that comes to my mind is add something akin to=20
kauth_cred_getuids(cred *, uidt *, uid *, uid *) which can  return the=20
current, real, and effective uids all at once.

Take care,

Bill

--fUYQa+Pmc3FrFX/N
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iD8DBQFF2MtIWz+3JHUci9cRAr6tAJ91OSToI8b0HPBx9Z7zq3Faom0fLwCfTApo
Tz6i4e0/4tyq3ELsrmat6h8=
=00Mw
-----END PGP SIGNATURE-----

--fUYQa+Pmc3FrFX/N--