Fri Oct 2 22:05:52 2009 UTC ()
Let the ipkdb subsystem allow operations related to it rather than wrongly
doing so in the suser secmodel.


(elad)
diff -r1.26 -r1.27 src/sys/ipkdb/ipkdb_ipkdb.c
diff -r1.3 -r1.4 src/sys/secmodel/suser/secmodel_suser.c
cvs diff -r1.26 -r1.27 src/sys/ipkdb/Attic/ipkdb_ipkdb.c (expand / switch to context diff)
--- src/sys/ipkdb/Attic/ipkdb_ipkdb.c 2009/04/12 22:37:50 1.26
+++ src/sys/ipkdb/Attic/ipkdb_ipkdb.c 2009/10/02 22:05:52 1.27
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipkdb_ipkdb.c,v 1.26 2009/04/12 22:37:50 elad Exp $	*/
+/*	$NetBSD: ipkdb_ipkdb.c,v 1.27 2009/10/02 22:05:52 elad Exp $	*/
 
 /*
  * Copyright (C) 1993-2000 Wolfgang Solfrank.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipkdb_ipkdb.c,v 1.26 2009/04/12 22:37:50 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipkdb_ipkdb.c,v 1.27 2009/10/02 22:05:52 elad Exp $");
 
 #include "opt_ipkdb.h"
 
@@ -70,6 +70,8 @@
 
 static struct ipkdb_if ipkdb_if;
 
+static kauth_listener_t ipkdb_listener;
+
 static u_char *ipkdbaddr(u_char *, int *, void **);
 static void peekmem(struct ipkdb_if *, u_char *, void *, long);
 static void pokemem(struct ipkdb_if *, u_char *, void *, long);
@@ -89,6 +91,25 @@
 static int connectipkdb(struct ipkdb_if *, char *, int);
 static int hmac_init(void);
 
+static int
+ipkdb_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	enum kauth_system_req req;
+	int result;
+
+	req = (enum kauth_system_req)arg0;
+	result = KAUTH_RESULT_DEFER;
+
+	if ((action != KAUTH_SYSTEM_DEBUG) ||
+	    (req != KAUTH_REQ_SYSTEM_DEBUG_IPKDB))
+		return result;
+
+	result = KAUTH_RESULT_ALLOW;
+
+	return result;
+}
+
 void
 ipkdb_init(void)
 {
@@ -100,6 +121,9 @@
 		printf("IPKDB: No interface found!\n");
 		boothowto &= ~RB_KDB;
 	}
+
+	ipkdb_listener = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
+	    ipkdb_listener_cb, NULL);
 }
 
 void
cvs diff -r1.3 -r1.4 src/sys/secmodel/suser/secmodel_suser.c (expand / switch to context diff)
--- src/sys/secmodel/suser/secmodel_suser.c 2009/10/02 21:56:28 1.3
+++ src/sys/secmodel/suser/secmodel_suser.c 2009/10/02 22:05:52 1.4
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.3 2009/10/02 21:56:28 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.3 2009/10/02 21:56:28 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -469,17 +469,6 @@
 	case KAUTH_SYSTEM_MKNOD:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
-		break;
-
-	case KAUTH_SYSTEM_DEBUG:
-		switch (req) {
-		case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
-		default:
-			/* Decisions are root-agnostic. */
-			result = KAUTH_RESULT_ALLOW;
-			break;
-		}
-
 		break;
 
 	case KAUTH_SYSTEM_CHSYSFLAGS: