tech-kern archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Vnode scope implementation
Following up on the thread, attached is a diff that introduces the
vnode scope without any actions on it, along with the bsd44/suser
listener.
Please review. :)
Thanks,
-e.
Index: sys/kern/kern_auth.c
===================================================================
RCS file: /usr/cvs/src/sys/kern/kern_auth.c,v
retrieving revision 1.62
diff -u -p -r1.62 kern_auth.c
--- sys/kern/kern_auth.c 5 Apr 2009 11:50:51 -0000 1.62
+++ sys/kern/kern_auth.c 12 Jul 2009 05:51:20 -0000
@@ -142,6 +142,7 @@ static kauth_scope_t kauth_builtin_scope
static kauth_scope_t kauth_builtin_scope_machdep;
static kauth_scope_t kauth_builtin_scope_device;
static kauth_scope_t kauth_builtin_scope_cred;
+static kauth_scope_t kauth_builtin_scope_vnode;
static unsigned int nsecmodels = 0;
@@ -830,6 +831,10 @@ kauth_init(void)
/* Register device scope. */
kauth_builtin_scope_device = kauth_register_scope(KAUTH_SCOPE_DEVICE,
NULL, NULL);
+
+ /* Register vnode scope. */
+ kauth_builtin_scope_vnode = kauth_register_scope(KAUTH_SCOPE_VNODE,
+ NULL, NULL);
}
/*
@@ -1052,6 +1057,24 @@ kauth_authorize_device_passthru(kauth_cr
data, NULL));
}
+int
+kauth_authorize_vnode(kauth_cred_t cred, kauth_action_t action,
+ struct vnode *vp, struct vnode *dvp, int fs_decision)
+{
+ int error;
+
+ error = kauth_authorize_action(kauth_builtin_scope_vnode, cred,
+ action, vp, dvp, KAUTH_ARG(fs_decision), NULL);
+
+ if (error)
+ error = EACCES;
+
+ if (!nsecmodels)
+ error = fs_decision;
+
+ return error;
+}
+
static int
kauth_cred_hook(kauth_cred_t cred, kauth_action_t action, void *arg0,
void *arg1)
Index: sys/sys/kauth.h
===================================================================
RCS file: /usr/cvs/src/sys/sys/kauth.h,v
retrieving revision 1.59
diff -u -p -r1.59 kauth.h
--- sys/sys/kauth.h 8 May 2009 11:09:43 -0000 1.59
+++ sys/sys/kauth.h 12 Jul 2009 05:53:29 -0000
@@ -67,6 +67,7 @@ typedef struct kauth_key *kauth_ke
#define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
#define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device"
#define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred"
+#define KAUTH_SCOPE_VNODE "org.netbsd.kauth.vnode"
/*
* Generic scope - actions.
@@ -323,6 +324,8 @@ int kauth_authorize_device_tty(kauth_cre
int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
struct vnode *);
int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
+int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *,
+ struct vnode *, int);
/* Kauth credentials management routines. */
kauth_cred_t kauth_cred_alloc(void);
Index: sys/secmodel/bsd44/secmodel_bsd44_suser.c
===================================================================
RCS file: /usr/cvs/src/sys/secmodel/bsd44/secmodel_bsd44_suser.c,v
retrieving revision 1.67
diff -u -p -r1.67 secmodel_bsd44_suser.c
--- sys/secmodel/bsd44/secmodel_bsd44_suser.c 8 May 2009 11:09:43 -0000
1.67
+++ sys/secmodel/bsd44/secmodel_bsd44_suser.c 12 Jul 2009 05:54:59 -0000
@@ -65,7 +65,7 @@ __KERNEL_RCSID(0, "$NetBSD: secmodel_bsd
extern int dovfsusermount;
static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep,
- l_device;
+ l_device, l_vnode;
void
secmodel_bsd44_suser_start(void)
@@ -82,6 +82,8 @@ secmodel_bsd44_suser_start(void)
secmodel_bsd44_suser_machdep_cb, NULL);
l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
secmodel_bsd44_suser_device_cb, NULL);
+ l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE,
+ secmodel_bsd44_suser_vnode_cb, NULL);
}
#if defined(_LKM)
@@ -94,6 +96,7 @@ secmodel_bsd44_suser_stop(void)
kauth_unlisten_scope(l_network);
kauth_unlisten_scope(l_machdep);
kauth_unlisten_scope(l_device);
+ kauth_unlisten_scope(l_vnode);
}
#endif /* _LKM */
@@ -1157,3 +1160,27 @@ secmodel_bsd44_suser_device_cb(kauth_cre
return (result);
}
+
+int
+secmodel_bsd44_suser_vnode_cb(kauth_cred_t cred, kauth_action_t action,
+ void *cookie, void *arg0, void *arg1, void *arg2,
+ void *arg3)
+{
+ bool isroot;
+ int result;
+ struct vnode *vp, *dvp;
+ int fs_decision;
+
+ isroot = (kauth_cred_geteuid(cred) == 0);
+ result = KAUTH_RESULT_DEFER;
+
+ vp = arg0;
+ dvp = arg1;
+ fs_decision = (int)(uintptr_t)arg2;
+
+ if (isroot || fs_decision == 0)
+ result = KAUTH_RESULT_ALLOW;
+
+ return (result);
+}
+
Home |
Main Index |
Thread Index |
Old Index