 @@ -1,14 +1,14 @@
-/* $NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $ */
+/* $NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. The name of the author may not be used to endorse or promote products
 @@ -28,27 +28,27 @@
 /*
  * This file contains kauth(9) listeners needed to implement the traditional
  * NetBSD superuser access restrictions.
+ *
  * There are two main resources a request can be issued to: user-owned and
  * system owned. For the first, traditional Unix access checks are done, as
  * well as superuser checks. If needed, the request context is examined before
  * a decision is made. For the latter, usually only superuser checks are done
  * as normal users are not allowed to access system resources.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $");
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/kauth.h>
 #include <sys/acct.h>
 #include <sys/mutex.h>
 #include <sys/ktrace.h>
 #include <sys/mount.h>
 #include <sys/pset.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/tty.h>
 @@ -1139,21 +1139,28 @@ secmodel_bsd44_suser_device_cb(kauth_cre
 	case KAUTH_DEVICE_TTY_STI:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
 	case KAUTH_DEVICE_RND_ADDDATA:
 	case KAUTH_DEVICE_RND_GETPRIV:
 	case KAUTH_DEVICE_RND_SETPRIV:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
 	case KAUTH_DEVICE_GPIO_PINSET:
 		/*
 		 * root can access gpio pins, secmodel_securlevel can veto
 		 * this decision.
 		 */
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
 	default:
 		result = KAUTH_RESULT_DEFER;
 		break;
+	}
 	return (result);
+}

 @@ -1,14 +1,14 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  * 3. The name of the author may not be used to endorse or promote products
 @@ -25,27 +25,27 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 /*
  * This file contains kauth(9) listeners needed to implement the traditional
  * NetBSD securelevel.
+ *
  * The securelevel is a system-global indication on what operations are
  * allowed or not. It affects all users, including root.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
 #endif /* _KERNEL_OPT */
 #include <sys/types.h>
 #include <sys/param.h>
 #include <sys/kauth.h>
 #include <sys/conf.h>
 #include <sys/mount.h>
 #include <sys/sysctl.h>
 #include <sys/vnode.h>
 @@ -524,19 +524,24 @@ secmodel_securelevel_device_cb(kauth_cre
 			u_long bits;
 			bits = (u_long)arg0;
 			KASSERT(bits != 0);
 			KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0);
 			if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF)
 				result = KAUTH_RESULT_DENY;
+		}
 		break;
 	case KAUTH_DEVICE_GPIO_PINSET:
 		if (securelevel > 0)
 			result = KAUTH_RESULT_DENY;
 		break;
 	default:
 		break;
+	}
 	return (result);
+}

 @@ -1,14 +1,14 @@
-/* $NetBSD: kauth.h,v 1.59 2009/05/08 11:09:43 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.60 2009/07/25 16:08:02 mbalmer Exp $ */
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -248,26 +248,27 @@ enum {
  */
 enum {
 	KAUTH_DEVICE_TTY_OPEN=1,
 	KAUTH_DEVICE_TTY_PRIVSET,
 	KAUTH_DEVICE_TTY_STI,
 	KAUTH_DEVICE_RAWIO_SPEC,
 	KAUTH_DEVICE_RAWIO_PASSTHRU,
 	KAUTH_DEVICE_BLUETOOTH_SETPRIV,
 	KAUTH_DEVICE_RND_ADDDATA,
 	KAUTH_DEVICE_RND_GETPRIV,
 	KAUTH_DEVICE_RND_SETPRIV,
 	KAUTH_DEVICE_BLUETOOTH_BCSP,
 	KAUTH_DEVICE_BLUETOOTH_BTUART,
 	KAUTH_DEVICE_GPIO_PINSET
 };
 /*
  * Device scope - sub-actions.
  */
 enum kauth_device_req {
 	KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
 	KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
 	KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
 	KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD,
 	KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD,
 };