Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>

To: tech-kern%netbsd.org@localhost
Subject: Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
From: Elad Efrat <elad%NetBSD.org@localhost>
Date: Wed, 06 May 2009 01:50:52 +0300

Elad Efrat wrote:

On Thu, Apr 30, 2009 at 3:22 PM, Elad Efrat <elad%netbsd.org@localhost> wrote:

To summarize, then, we need KAUTH_NETWORK_INTERFACE::ADD + ::ENABLE
(or similar) in ppp, and two more ::ENABLEs in sl/strip. We also need
KAUTH_DEVICE_BLUETOOTH_ADD + ENABLE for btuart/bcsp.

Its ok by me, I only wanted to steer you away from the TTY viewpoint..

Okay, thanks for your help.

I'd like to indicate "ppp", "strip", and "slip", but I'll do that as a
second pass. I plan on exposing kauth(9) listeners to less and less
kernel internals, but this work will be done in stages like I've
stated before.


Actually, perhaps we can do it all now.

I propose the following new actions/requests:
  KAUTH_NETWORK_INTERFACE_PPP::ADD, ENABLE for ppp
  KAUTH_NETWORK_INTERFACE_SLIP::ENABLE for slip
  KAUTH_NETWORK_INTERFACE_STRIP::ENABLE for strip

+ the ones mentioned above for bluetooth.


The attached diff implements my suggestion.

I'm not entirely happy with it as we call kauth twice for bcsp, btuart,
and ppp. Do you see a reason to separate ADD and ENABLE and not just
treat both as the same? is there a situation where you'd want to a user
or a program only one of the two?

Maybe for ppp, btuart, and bcsp, we should combine ADD and ENABLE as
the code only supports doing both together?

Thanks,

-e.

Index: sys/sys/kauth.h
===================================================================
RCS file: /cvsroot/src/sys/sys/kauth.h,v
retrieving revision 1.56
diff -u -p -r1.56 kauth.h
--- sys/sys/kauth.h     5 May 2009 21:03:28 -0000       1.56
+++ sys/sys/kauth.h     5 May 2009 22:46:32 -0000
@@ -177,7 +177,10 @@ enum {
        KAUTH_NETWORK_FORWSRCRT,
        KAUTH_NETWORK_NFS,
        KAUTH_NETWORK_ROUTE,
-       KAUTH_NETWORK_SOCKET
+       KAUTH_NETWORK_SOCKET,
+       KAUTH_NETWORK_INTERFACE_PPP,
+       KAUTH_NETWORK_INTERFACE_SLIP,
+       KAUTH_NETWORK_INTERFACE_STRIP,
 };
 
 /*
@@ -210,7 +213,11 @@ enum kauth_network_req {
        KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
        KAUTH_REQ_NETWORK_SOCKET_CANSEE,
        KAUTH_REQ_NETWORK_SOCKET_DROP,
-       KAUTH_REQ_NETWORK_SOCKET_SETPRIV
+       KAUTH_REQ_NETWORK_SOCKET_SETPRIV,
+       KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD,
+       KAUTH_REQ_NETWORK_INTERFACE_PPP_ENABLE,
+       KAUTH_REQ_NETWORK_INTERFACE_SLIP_ENABLE,
+       KAUTH_REQ_NETWORK_INTERFACE_STRIP_ENABLE,
 };
 
 /*
@@ -242,6 +249,8 @@ enum {
        KAUTH_DEVICE_RND_ADDDATA,
        KAUTH_DEVICE_RND_GETPRIV,
        KAUTH_DEVICE_RND_SETPRIV,
+       KAUTH_DEVICE_BLUETOOTH_ADD,
+       KAUTH_DEVICE_BLUETOOTH_ENABLE,
 };
 
 /*
Index: sys/net/ppp_tty.c
===================================================================
RCS file: /cvsroot/src/sys/net/ppp_tty.c,v
retrieving revision 1.54
diff -u -p -r1.54 ppp_tty.c
--- sys/net/ppp_tty.c   15 Apr 2009 20:44:25 -0000      1.54
+++ sys/net/ppp_tty.c   5 May 2009 22:46:33 -0000
@@ -208,8 +208,14 @@ pppopen(dev_t dev, struct tty *tp)
     struct ppp_softc *sc;
     int error, s;
 
-    if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
-       NULL)) != 0)
+    error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_PPP,
+       KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD, NULL, NULL, NULL);
+    if (error)
+       return (error);
+
+    error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_PPP,
+       KAUTH_REQ_NETWORK_INTERFACE_PPP_ENABLE, NULL, NULL, NULL);
+    if (error)
        return (error);
 
     s = spltty();
Index: sys/net/if_sl.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_sl.c,v
retrieving revision 1.114
diff -u -p -r1.114 if_sl.c
--- sys/net/if_sl.c     17 Dec 2008 20:51:36 -0000      1.114
+++ sys/net/if_sl.c     5 May 2009 22:46:33 -0000
@@ -303,8 +303,9 @@ slopen(dev_t dev, struct tty *tp)
        struct sl_softc *sc;
        int error;
 
-       if ((error = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
-           NULL)) != 0)
+       error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_INTERFACE_SLIP,
+           KAUTH_REQ_NETWORK_INTERFACE_SLIP_ENABLE, NULL, NULL, NULL);
+       if (error)
                return error;
 
        if (tp->t_linesw == &slip_disc)
Index: sys/net/if_strip.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_strip.c,v
retrieving revision 1.92
diff -u -p -r1.92 if_strip.c
--- sys/net/if_strip.c  18 Apr 2009 14:58:05 -0000      1.92
+++ sys/net/if_strip.c  5 May 2009 22:46:34 -0000
@@ -475,8 +475,10 @@ stripopen(dev_t dev, struct tty *tp)
        struct strip_softc *sc;
        int error;
 
-       if ((error = kauth_authorize_generic(l->l_cred,
-           KAUTH_GENERIC_ISSUSER, NULL)) != 0)
+       error = kauth_authorize_network(l->l_cred,
+           KAUTH_NETWORK_INTERFACE_STRIP,
+           KAUTH_REQ_NETWORK_INTERFACE_STRIP_ENABLE, NULL, NULL, NULL);
+       if (error)
                return (error);
 
        if (tp->t_linesw == &strip_disc)
Index: sys/dev/bluetooth/btuart.c
===================================================================
RCS file: /cvsroot/src/sys/dev/bluetooth/btuart.c,v
retrieving revision 1.21
diff -u -p -r1.21 btuart.c
--- sys/dev/bluetooth/btuart.c  26 Apr 2009 07:53:43 -0000      1.21
+++ sys/dev/bluetooth/btuart.c  5 May 2009 22:46:34 -0000
@@ -226,9 +226,15 @@ btuartopen(dev_t devno __unused, struct 
        struct lwp *l = curlwp;         /* XXX */
        int error, unit, s;
 
-       if ((error = kauth_authorize_generic(l->l_cred,
-           KAUTH_GENERIC_ISSUSER, NULL)) != 0)
-               return error;
+       error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_ADD,
+           NULL, NULL, NULL, NULL);
+       if (error)
+               return (error);
+
+       error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_ENABLE,
+           NULL, NULL, NULL, NULL);
+       if (error)
+               return (error);
 
        s = spltty();
 
Index: sys/dev/bluetooth/bcsp.c
===================================================================
RCS file: /cvsroot/src/sys/dev/bluetooth/bcsp.c,v
retrieving revision 1.16
diff -u -p -r1.16 bcsp.c
--- sys/dev/bluetooth/bcsp.c    26 Apr 2009 07:53:43 -0000      1.16
+++ sys/dev/bluetooth/bcsp.c    5 May 2009 22:46:35 -0000
@@ -378,9 +378,14 @@ bcspopen(dev_t device __unused, struct t
        int error, unit, s;
        static char name[] = "bcsp";
 
-       if ((error = kauth_authorize_generic(l->l_cred,
-           KAUTH_GENERIC_ISSUSER, NULL)) != 0)
-               return error;
+       error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_ADD,
+           NULL, NULL, NULL, NULL);
+       if (error)
+               return (error);
+       error = kauth_authorize_device(l->l_cred, KAUTH_DEVICE_BLUETOOTH_ENABLE,
+           NULL, NULL, NULL, NULL);
+       if (error)
+               return (error);
 
        s = spltty();

Follow-Ups:
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Iain Hibbert

References:
- Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Iain Hibbert
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Iain Hibbert
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Iain Hibbert
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Iain Hibbert
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat
- Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
  - From: Elad Efrat

Prev by Date: curlwp usage in some devices
Next by Date: re: curlwp usage in some devices
Previous by Thread: Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
Next by Thread: Re: Adding KAUTH_DEVICE_TTY_ATTACH_<TYPE>
Indexes:

Home | Main Index | Thread Index | Old Index