Received: by mail.netbsd.org (Postfix, from userid 605) id EA11E14A1B9; Sun, 4 Dec 2011 19:25:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A946114A1B3 for ; Sun, 4 Dec 2011 19:25:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id TAS0p4r4BBH6 for ; Sun, 4 Dec 2011 19:25:01 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id D0D3114A18A for ; Sun, 4 Dec 2011 19:25:01 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id B8610175DD; Sun, 4 Dec 2011 19:25:01 +0000 (UTC) MIME-Version: 1.0 Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Date: Sun, 4 Dec 2011 19:25:01 +0000 From: "Jean-Yves Migeon" Subject: CVS commit: src/sys To: source-changes@NetBSD.org X-Mailer: log_accum Message-Id: <20111204192501.B8610175DD@cvs.netbsd.org> Sender: source-changes-owner@NetBSD.org List-Id: source-changes.NetBSD.org Precedence: bulk Reply-To: source-changes-d@NetBSD.org Mail-Reply-To: "Jean-Yves Migeon" Mail-Followup-To: source-changes-d@NetBSD.org Module Name: src Committed By: jym Date: Sun Dec 4 19:25:01 UTC 2011 Modified Files: src/sys/kern: init_main.c kern_auth.c kern_module.c src/sys/rump/librump/rumpkern: Makefile.rumpkern rump.c src/sys/secmodel: files.secmodel src/sys/secmodel/bsd44: bsd44.h files.bsd44 secmodel_bsd44.c src/sys/secmodel/keylock: secmodel_keylock.c src/sys/secmodel/overlay: overlay.h secmodel_overlay.c src/sys/secmodel/securelevel: secmodel_securelevel.c securelevel.h src/sys/secmodel/suser: secmodel_suser.c suser.h src/sys/sys: kauth.h Added Files: src/sys/secmodel: secmodel.c secmodel.h src/sys/secmodel/extensions: extensions.h files.extensions secmodel_extensions.c Log Message: Implement the register/deregister/evaluation API for secmodel(9). It allows registration of callbacks that can be used later for cross-secmodel "safe" communication. When a secmodel wishes to know a property maintained by another secmodel, it has to submit a request to it so the other secmodel can proceed to evaluating the request. This is done through the secmodel_eval(9) call; example: bool isroot; error = secmodel_eval("org.netbsd.secmodel.suser", "is-root", cred, &isroot); if (error == 0 && !isroot) result = KAUTH_RESULT_DENY; This one asks the suser module if the credentials are assumed to be root when evaluated by suser module. If the module is present, it will respond. If absent, the call will return an error. Args and command are arbitrarily defined; it's up to the secmodel(9) to document what it expects. Typical example is securelevel testing: when someone wants to know whether securelevel is raised above a certain level or not, the caller has to request this property to the secmodel_securelevel(9) module. Given that securelevel module may be absent from system's context (thus making access to the global "securelevel" variable impossible or unsafe), this API can cope with this absence and return an error. We are using secmodel_eval(9) to implement a secmodel_extensions(9) module, which plugs with the bsd44, suser and securelevel secmodels to provide the logic behind curtain, usermount and user_set_cpu_affinity modes, without adding hooks to traditional secmodels. This solves a real issue with the current secmodel(9) code, as usermount or user_set_cpu_affinity are not really tied to secmodel_suser(9). The secmodel_eval(9) is also used to restrict security.models settings when securelevel is above 0, through the "is-securelevel-above" evaluation: - curtain can be enabled any time, but cannot be disabled if securelevel is above 0. - usermount/user_set_cpu_affinity can be disabled any time, but cannot be enabled if securelevel is above 0. Regarding sysctl(7) entries: curtain and usermount are now found under security.models.extensions tree. The security.curtain and vfs.generic.usermount are still accessible for backwards compat. Documentation is incoming, I am proof-reading my writings. Written by elad@, reviewed and tested (anita test + interact for rights tests) by me. ok elad@. See also http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html XXX might consider va0 mapping too. XXX Having a secmodel(9) specific printf (like aprint_*) for reporting secmodel(9) errors might be a good idea, but I am not sure on how to design such a function right now. To generate a diff of this commit: cvs rdiff -u -r1.437 -r1.438 src/sys/kern/init_main.c cvs rdiff -u -r1.65 -r1.66 src/sys/kern/kern_auth.c cvs rdiff -u -r1.85 -r1.86 src/sys/kern/kern_module.c cvs rdiff -u -r1.113 -r1.114 src/sys/rump/librump/rumpkern/Makefile.rumpkern cvs rdiff -u -r1.237 -r1.238 src/sys/rump/librump/rumpkern/rump.c cvs rdiff -u -r1.4 -r1.5 src/sys/secmodel/files.secmodel cvs rdiff -u -r0 -r1.1 src/sys/secmodel/secmodel.c cvs rdiff -u -r0 -r1.4 src/sys/secmodel/secmodel.h cvs rdiff -u -r1.5 -r1.6 src/sys/secmodel/bsd44/bsd44.h cvs rdiff -u -r1.3 -r1.4 src/sys/secmodel/bsd44/files.bsd44 cvs rdiff -u -r1.14 -r1.15 src/sys/secmodel/bsd44/secmodel_bsd44.c cvs rdiff -u -r0 -r1.1 src/sys/secmodel/extensions/extensions.h \ src/sys/secmodel/extensions/files.extensions \ src/sys/secmodel/extensions/secmodel_extensions.c cvs rdiff -u -r1.5 -r1.6 src/sys/secmodel/keylock/secmodel_keylock.c cvs rdiff -u -r1.4 -r1.5 src/sys/secmodel/overlay/overlay.h cvs rdiff -u -r1.11 -r1.12 src/sys/secmodel/overlay/secmodel_overlay.c cvs rdiff -u -r1.22 -r1.23 \ src/sys/secmodel/securelevel/secmodel_securelevel.c cvs rdiff -u -r1.3 -r1.4 src/sys/secmodel/securelevel/securelevel.h cvs rdiff -u -r1.35 -r1.36 src/sys/secmodel/suser/secmodel_suser.c cvs rdiff -u -r1.1 -r1.2 src/sys/secmodel/suser/suser.h cvs rdiff -u -r1.65 -r1.66 src/sys/sys/kauth.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.