tech-security: Re: Integrating securelevel and kauth(9)

Subject: Re: Integrating securelevel and kauth(9)
To: None <elad@NetBSD.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-security
Date: 03/26/2006 04:04:13

> So:
> 
> > it's better to write listeners to check "securelevel" variable
> > for appropriate scopes, rather than having a single scope gathering
> > these random operations.
> > ie. i think securelevel should be turned into listener(s), not a scope.
> 
> IIUC, you mean to create several listeners that would each be in charge
> of making a decision for different "knobs", and defer requests
> otherwise?
> 
> If so, to what scope should these listeners be attached to?

i meant, eg. you can write an listener like the following and
register it to KAUTH_SCOPE_PROCESS scope, to replace securelevel checks
in sys_ptrace() and process_checkioperm().

	int
	securelevel_process_listener_callback(....)
	{
		switch () {
		case KAUTH_PROCESS_CANPTRACE:
		case KAUTH_PROCESS_CANIO:
			if (p == initproc && securelevel > -1) {
				return KAUTH_RESULT_DENY;
			}
		}
		return KAUTH_RESULT_DEFER;
	}

> > btw, it seems that you are proposing two different things in this mail.
> > 	- adapt securelevel to kauth world
> > 	- make securelevel a bitmap
> > 
> > i'm not sure if the latter is a good idea.
> > why bother to complicate securelevel, while you can just have
> > another listener to implement finer-grained access control?
> 
> It's not really "make securelevel a bitmap", but introduce a new
> variable that'll store the information kauth(9) will refer to when a
> request is made.
> 
> If now there's an "int securelevel" kernel code can check before
> granting access to, say, open the raw memory device; if we are splitting
> the knobs, we need a place to store the values for all these knobs.
> 
> Where else would information such as "modifications to the packet
> filter rules are disallowed" will be kept? (granted, that's got to
> do more with the security model used; let's assume "traditional Unix"
> for the context ;)
> 
> ...or am I not understanding you correctly?

see the above example.
"int securelevel" should be enough to implement securelevel as a listener.

for the case of "filter rule modification", you can write another listener for
the scope which covers the operation.
yes, you need to create an appropriate scope, i think.

YAMAMOTO Takashi