Where will the new checks for sys_dl_config be inserted? Will the other
protections (except for WiFi) be removed (particularly from the device
drivers and the framework components? -- also the VNIC file permissions?)
"show-wifi" would be very, very useful to have reduced privilege (none?)
access to.
-- Garrett
Sebastien Roy wrote:
> Hi folks,
>
> I have a proposal for a PSARC fast-track detailing the breakdown of
> privileges for dladm. One question is the behavior of the *-secobj
> subcommands that for some reason require authorizations in addition to
> privileges, but not the show-secobj subcommand. I'm not sure if it's
> safe to allow show-secobj with no privileges, and there's a "?" in the
> text until I get that solved.
>
> I didn't include any implementation details in here such as how modules
> register their ioctls of interest with dld and how dld then shuttles
> ioctls to those modules. If you think those details are missing, I can
> add them.
>
> Comments welcome:
>
> Fine-Grained Privileges for Datalink Administration
>
> 1. Summary
>
> This case proposes to break down the privilege model for datalink
> administration through dladm(1M) in order to allow unprivileged
> users access to a subset of administrative operations.
>
> The stability level of the dladm and its subcommands is Committed,
> and the release binding for this case is Patch. No incompatible
> changes are being introduced.
>
> 2. Background
>
> The dladm(1M) command currently contains an explicit and global
> check for the sys_net_config and net_rawaccess privileges. If these
> privileges are not in the effective set at the time the command is
> run, the command exits with an error claiming "insufficient
> privileges". This check is unecessary since the kernel contains
> privilege checks for the various operations that dladm performs
> (detailed below), but nevertheless, it's there and is relevant to
> this case.
>
> Most kernel state is accessed (through libdladm.so) by issuing
> Project-Private ioctls to three pseudo device nodes in
> /devices/pseudo/ (dld at 0:ctl, aggr at 0:ctl, and vnic at 0:ctl). These
> ioctls themselves do not have individual privilege requirements.
> Opening the dld and aggr control devices requires the sys_net_config
> privilege due to entries in /etc/security/device_policy, and the
> vnic control devices only allows root access by virtue of its device
> node's file permissions.
>
> WiFi-related kernel state is accessed by opening DLPI device nodes
> of interest in /dev/net and issuing ioctls. Opening DLPI nodes
> requires the net_rawaccess privilege, and WiFi drivers additionally
> require the sys_net_config privilege to issue WiFi ioctls.
>
> The result is that all dladm operations require the sys_net_config
> and net_rawaccess privileges. The vnic operations are currently
> private interfaces to xVM acessed through the project-private
> /usr/lib/vna command, and require the root user-id (all privileges).
>
> 3. Proposed Architectural Changes
>
> This case proposes a new sys_dl_config privilege that is a subset of
> the existing sys_net_config privilege. This privilege will be
> required to make modifications to datalink configuration, but will
> not be required to read datalink configuration. With the exception
> of WiFi administration detailed in 3.1, no additional privileges
> will be required to interact with datalink configuration.
>
> The end result for users of dladm will be the following set of
> required privileges for each existing subcommand:
>
> show-link [none]
> rename-link sys_dl_config
> delete-phys sys_dl_config
> show-phys [none]
> show-dev [none]
> create-aggr sys_dl_config
> modify-aggr sys_dl_config
> delete-aggr sys_dl_config
> add-aggr sys_dl_config
> remove-aggr sys_dl_config
> show-aggr [none]
> create-vlan sys_dl_config
> delete-vlan sys_dl_config
> show-vlan [none]
> scan-wifi net_rawaccess, sys_dl_config *
> connect-wifi net_rawaccess, sys_dl_config *
> disconnect-wifi net_rawaccess, sys_dl_config *
> show-wifi net_rawaccess, sys_dl_config *
> set-linkprop sys_dl_config
> reset-linkprop sys_dl_config
> show-linkprop [none]
> create-secobj sys_dl_config, solaris.network.link.security
> delete-secobj sys_dl_config, solaris.network.link.security
> show-secobj sys_dl_config (?)
> show-ether [none]
>
> * See section 3.1 ragarding WiFi subcommands.
>
> 3.1. WiFi Link Administration
>
> Breaking down the privileges required to administer WiFi links
> (using the WiFi-related dladm subcommands) is outside the scope of
> this case. The reason is simply that more work is needed to convert
> the driver ioctls issued through /dev/net to other operations that
> do not require the net_rawaccess privilege. That work will be done
> separately, and the architecture detailed in this case will make
> that work possible, but as a future case.
>
> This case does propose to relax the requirement for WiFi ioctls from
> sys_net_config to the new sys_dl_config privilege in order to be
> in-line with other GLDv3 datalink administration ioctls. The
> net_rawaccess privilege will still be required for WiFi operations,
> however, since libdladm.so still has to open /dev/net DLPI nodes in
> order to issue WiFi ioctls.
>
>
> _______________________________________________
> nwam-discuss mailing list
> nwam-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/nwam-discuss
>
