Extend the existing security models for upcoming gpio(4) changes. Reviewed and feedback by Elad Efrat.diff -r1.67 -r1.68 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
(mbalmer)
--- src/sys/secmodel/bsd44/Attic/secmodel_bsd44_suser.c 2009/05/08 11:09:43 1.67
+++ src/sys/secmodel/bsd44/Attic/secmodel_bsd44_suser.c 2009/07/25 16:08:02 1.68
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $ */ | 1 | /* $NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $ */ | |
2 | /*- | 2 | /*- | |
3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> | 3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> | |
4 | * All rights reserved. | 4 | * All rights reserved. | |
5 | * | 5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | 8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | 9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | 10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | 11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | 12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | 13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. The name of the author may not be used to endorse or promote products | 14 | * 3. The name of the author may not be used to endorse or promote products | |
@@ -28,27 +28,27 @@ | @@ -28,27 +28,27 @@ | |||
28 | 28 | |||
29 | /* | 29 | /* | |
30 | * This file contains kauth(9) listeners needed to implement the traditional | 30 | * This file contains kauth(9) listeners needed to implement the traditional | |
31 | * NetBSD superuser access restrictions. | 31 | * NetBSD superuser access restrictions. | |
32 | * | 32 | * | |
33 | * There are two main resources a request can be issued to: user-owned and | 33 | * There are two main resources a request can be issued to: user-owned and | |
34 | * system owned. For the first, traditional Unix access checks are done, as | 34 | * system owned. For the first, traditional Unix access checks are done, as | |
35 | * well as superuser checks. If needed, the request context is examined before | 35 | * well as superuser checks. If needed, the request context is examined before | |
36 | * a decision is made. For the latter, usually only superuser checks are done | 36 | * a decision is made. For the latter, usually only superuser checks are done | |
37 | * as normal users are not allowed to access system resources. | 37 | * as normal users are not allowed to access system resources. | |
38 | */ | 38 | */ | |
39 | 39 | |||
40 | #include <sys/cdefs.h> | 40 | #include <sys/cdefs.h> | |
41 | __KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.67 2009/05/08 11:09:43 elad Exp $"); | 41 | __KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.68 2009/07/25 16:08:02 mbalmer Exp $"); | |
42 | 42 | |||
43 | #include <sys/types.h> | 43 | #include <sys/types.h> | |
44 | #include <sys/param.h> | 44 | #include <sys/param.h> | |
45 | #include <sys/kauth.h> | 45 | #include <sys/kauth.h> | |
46 | 46 | |||
47 | #include <sys/acct.h> | 47 | #include <sys/acct.h> | |
48 | #include <sys/mutex.h> | 48 | #include <sys/mutex.h> | |
49 | #include <sys/ktrace.h> | 49 | #include <sys/ktrace.h> | |
50 | #include <sys/mount.h> | 50 | #include <sys/mount.h> | |
51 | #include <sys/pset.h> | 51 | #include <sys/pset.h> | |
52 | #include <sys/socketvar.h> | 52 | #include <sys/socketvar.h> | |
53 | #include <sys/sysctl.h> | 53 | #include <sys/sysctl.h> | |
54 | #include <sys/tty.h> | 54 | #include <sys/tty.h> | |
@@ -1139,21 +1139,28 @@ secmodel_bsd44_suser_device_cb(kauth_cre | @@ -1139,21 +1139,28 @@ secmodel_bsd44_suser_device_cb(kauth_cre | |||
1139 | 1139 | |||
1140 | case KAUTH_DEVICE_TTY_STI: | 1140 | case KAUTH_DEVICE_TTY_STI: | |
1141 | if (isroot) | 1141 | if (isroot) | |
1142 | result = KAUTH_RESULT_ALLOW; | 1142 | result = KAUTH_RESULT_ALLOW; | |
1143 | 1143 | |||
1144 | break; | 1144 | break; | |
1145 | 1145 | |||
1146 | case KAUTH_DEVICE_RND_ADDDATA: | 1146 | case KAUTH_DEVICE_RND_ADDDATA: | |
1147 | case KAUTH_DEVICE_RND_GETPRIV: | 1147 | case KAUTH_DEVICE_RND_GETPRIV: | |
1148 | case KAUTH_DEVICE_RND_SETPRIV: | 1148 | case KAUTH_DEVICE_RND_SETPRIV: | |
1149 | if (isroot) | 1149 | if (isroot) | |
1150 | result = KAUTH_RESULT_ALLOW; | 1150 | result = KAUTH_RESULT_ALLOW; | |
1151 | break; | 1151 | break; | |
1152 | 1152 | case KAUTH_DEVICE_GPIO_PINSET: | ||
1153 | /* | |||
1154 | * root can access gpio pins, secmodel_securlevel can veto | |||
1155 | * this decision. | |||
1156 | */ | |||
1157 | if (isroot) | |||
1158 | result = KAUTH_RESULT_ALLOW; | |||
1159 | break; | |||
1153 | default: | 1160 | default: | |
1154 | result = KAUTH_RESULT_DEFER; | 1161 | result = KAUTH_RESULT_DEFER; | |
1155 | break; | 1162 | break; | |
1156 | } | 1163 | } | |
1157 | 1164 | |||
1158 | return (result); | 1165 | return (result); | |
1159 | } | 1166 | } |
--- src/sys/secmodel/securelevel/secmodel_securelevel.c 2009/05/06 21:10:22 1.11
+++ src/sys/secmodel/securelevel/secmodel_securelevel.c 2009/07/25 16:08:02 1.12
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $ */ | 1 | /* $NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $ */ | |
2 | /*- | 2 | /*- | |
3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> | 3 | * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> | |
4 | * All rights reserved. | 4 | * All rights reserved. | |
5 | * | 5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | 6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | 7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | 8 | * are met: | |
9 | * 1. Redistributions of source code must retain the above copyright | 9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | 10 | * notice, this list of conditions and the following disclaimer. | |
11 | * 2. Redistributions in binary form must reproduce the above copyright | 11 | * 2. Redistributions in binary form must reproduce the above copyright | |
12 | * notice, this list of conditions and the following disclaimer in the | 12 | * notice, this list of conditions and the following disclaimer in the | |
13 | * documentation and/or other materials provided with the distribution. | 13 | * documentation and/or other materials provided with the distribution. | |
14 | * 3. The name of the author may not be used to endorse or promote products | 14 | * 3. The name of the author may not be used to endorse or promote products | |
@@ -25,27 +25,27 @@ | @@ -25,27 +25,27 @@ | |||
25 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 25 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
26 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 26 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
27 | */ | 27 | */ | |
28 | 28 | |||
29 | /* | 29 | /* | |
30 | * This file contains kauth(9) listeners needed to implement the traditional | 30 | * This file contains kauth(9) listeners needed to implement the traditional | |
31 | * NetBSD securelevel. | 31 | * NetBSD securelevel. | |
32 | * | 32 | * | |
33 | * The securelevel is a system-global indication on what operations are | 33 | * The securelevel is a system-global indication on what operations are | |
34 | * allowed or not. It affects all users, including root. | 34 | * allowed or not. It affects all users, including root. | |
35 | */ | 35 | */ | |
36 | 36 | |||
37 | #include <sys/cdefs.h> | 37 | #include <sys/cdefs.h> | |
38 | __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.11 2009/05/06 21:10:22 elad Exp $"); | 38 | __KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.12 2009/07/25 16:08:02 mbalmer Exp $"); | |
39 | 39 | |||
40 | #ifdef _KERNEL_OPT | 40 | #ifdef _KERNEL_OPT | |
41 | #include "opt_insecure.h" | 41 | #include "opt_insecure.h" | |
42 | #endif /* _KERNEL_OPT */ | 42 | #endif /* _KERNEL_OPT */ | |
43 | 43 | |||
44 | #include <sys/types.h> | 44 | #include <sys/types.h> | |
45 | #include <sys/param.h> | 45 | #include <sys/param.h> | |
46 | #include <sys/kauth.h> | 46 | #include <sys/kauth.h> | |
47 | 47 | |||
48 | #include <sys/conf.h> | 48 | #include <sys/conf.h> | |
49 | #include <sys/mount.h> | 49 | #include <sys/mount.h> | |
50 | #include <sys/sysctl.h> | 50 | #include <sys/sysctl.h> | |
51 | #include <sys/vnode.h> | 51 | #include <sys/vnode.h> | |
@@ -524,19 +524,24 @@ secmodel_securelevel_device_cb(kauth_cre | @@ -524,19 +524,24 @@ secmodel_securelevel_device_cb(kauth_cre | |||
524 | u_long bits; | 524 | u_long bits; | |
525 | 525 | |||
526 | bits = (u_long)arg0; | 526 | bits = (u_long)arg0; | |
527 | 527 | |||
528 | KASSERT(bits != 0); | 528 | KASSERT(bits != 0); | |
529 | KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); | 529 | KASSERT((bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL) == 0); | |
530 | 530 | |||
531 | if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) | 531 | if (bits & ~KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF) | |
532 | result = KAUTH_RESULT_DENY; | 532 | result = KAUTH_RESULT_DENY; | |
533 | } | 533 | } | |
534 | 534 | |||
535 | break; | 535 | break; | |
536 | 536 | |||
537 | case KAUTH_DEVICE_GPIO_PINSET: | |||
538 | if (securelevel > 0) | |||
539 | result = KAUTH_RESULT_DENY; | |||
540 | break; | |||
541 | ||||
537 | default: | 542 | default: | |
538 | break; | 543 | break; | |
539 | } | 544 | } | |
540 | 545 | |||
541 | return (result); | 546 | return (result); | |
542 | } | 547 | } |
--- src/sys/sys/kauth.h 2009/05/08 11:09:43 1.59
+++ src/sys/sys/kauth.h 2009/07/25 16:08:02 1.60
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: kauth.h,v 1.59 2009/05/08 11:09:43 elad Exp $ */ | 1 | /* $NetBSD: kauth.h,v 1.60 2009/07/25 16:08:02 mbalmer Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> | 4 | * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> | |
5 | * All rights reserved. | 5 | * All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -248,26 +248,27 @@ enum { | @@ -248,26 +248,27 @@ enum { | |||
248 | */ | 248 | */ | |
249 | enum { | 249 | enum { | |
250 | KAUTH_DEVICE_TTY_OPEN=1, | 250 | KAUTH_DEVICE_TTY_OPEN=1, | |
251 | KAUTH_DEVICE_TTY_PRIVSET, | 251 | KAUTH_DEVICE_TTY_PRIVSET, | |
252 | KAUTH_DEVICE_TTY_STI, | 252 | KAUTH_DEVICE_TTY_STI, | |
253 | KAUTH_DEVICE_RAWIO_SPEC, | 253 | KAUTH_DEVICE_RAWIO_SPEC, | |
254 | KAUTH_DEVICE_RAWIO_PASSTHRU, | 254 | KAUTH_DEVICE_RAWIO_PASSTHRU, | |
255 | KAUTH_DEVICE_BLUETOOTH_SETPRIV, | 255 | KAUTH_DEVICE_BLUETOOTH_SETPRIV, | |
256 | KAUTH_DEVICE_RND_ADDDATA, | 256 | KAUTH_DEVICE_RND_ADDDATA, | |
257 | KAUTH_DEVICE_RND_GETPRIV, | 257 | KAUTH_DEVICE_RND_GETPRIV, | |
258 | KAUTH_DEVICE_RND_SETPRIV, | 258 | KAUTH_DEVICE_RND_SETPRIV, | |
259 | KAUTH_DEVICE_BLUETOOTH_BCSP, | 259 | KAUTH_DEVICE_BLUETOOTH_BCSP, | |
260 | KAUTH_DEVICE_BLUETOOTH_BTUART, | 260 | KAUTH_DEVICE_BLUETOOTH_BTUART, | |
261 | KAUTH_DEVICE_GPIO_PINSET | |||
261 | }; | 262 | }; | |
262 | 263 | |||
263 | /* | 264 | /* | |
264 | * Device scope - sub-actions. | 265 | * Device scope - sub-actions. | |
265 | */ | 266 | */ | |
266 | enum kauth_device_req { | 267 | enum kauth_device_req { | |
267 | KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1, | 268 | KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1, | |
268 | KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE, | 269 | KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE, | |
269 | KAUTH_REQ_DEVICE_RAWIO_SPEC_RW, | 270 | KAUTH_REQ_DEVICE_RAWIO_SPEC_RW, | |
270 | KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD, | 271 | KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD, | |
271 | KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD, | 272 | KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD, | |
272 | }; | 273 | }; | |
273 | 274 |