I'm sponsoring this Fast Track for Ashish Joshi.
It updates PSARC/2005/691 Trusted Extensions for Device Allocation
to satisfy various Trusted Extensions related RFEs for correctly mounting
removable media and for SunRay running in a Trusted Extensions environment.
A patch release binding is requested. This project is intended to
be backported to a Solaris 10 update.
The interface taxonomy of PSARC/2005/691 is updated to the
current taxonomy by mapping the previously Evolving interfaces
to Uncommitted and previously Unstable (which is the human readable
output) to Not-An-Interface.
Evolving to Uncommitted is requested in light of a future planned but,
not yet scheduled, project to integrate the device allocation functionality
under Tamarack: Removable Media Enhancements in Solaris (PSARC/2005/399)
for all of the Solaris configurations.
Updated full and diff marked man pages are in the case directory.
'~' in the first column represent missing changes from 2005/691.
'+', '-', and '|' represent changes for this case.
The timer is set for 13 June 2007
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
===========
PSARC/2005/691 Trusted Extensions for Device Allocation added label support
to the Device Allocation functionality already in Solaris (as part of the
BSM project done in the SunOS 5.3 time frame and still not fully ARCed).
Device Allocation is designed to meet confidentiality, object reuse
and accountability requirements for non-media (e.g., audio, printing) and
removable media (e.g., floppy, cdrom, usb disk) devices. This is largely
accomplished by disabling vold(1M), hald(1M), logindevperm(4) and replacing
the functionality with the device_allocate(4) and device_maps(4) databases,
and the allocate(1), deallocate(1) and list_devices(1) CLIs. Non-media
and removable media devices are not accessible to users until "allocated."
Devices don't become available for other user access until "deallocated."
Allocation consists of verifying if the user is authorized to use the
device, then changing its ownership and permissions to exclusive use
of the user and finally auditing. Deallocation removes the ownership, clears
the permissions, runs a device_clean(5) script/program to remove any remaining
state or media (object reuse) and audits.
PSARC/2005/691 added to allocate(1) label checking and running device_clean,
which calls rmmount(1M) where appropriate to mount media.
Also added were add_allocatable(1M) and remove_allocatable(1M) to manage
device_allocate(4) and device_maps(4). Depending on the future projects
to integrate with Tamarack, they may not survive.
Problem 1:
==========
allocate/deallocate/list_devices(1) have a number of undocumented exit
codes. While these should have been documented as part of the SunOS 5.3
putback or PSARC/2005/691, they never were. It turns out SunRay is
relying on one of these values to determine if it should retry an failed
operation.
Solution 1:
==========
Document the return values for allocate/deallocate/list_devices(1)
on the man page. Since this has not been documented before and
there appear to be no other consumers, the project team proposes:
EXIT STATUS
The following exit values are returned:
| 0 Success.
+ 20 No entry for specified device.
+ Other values General error
Problem 2:
==========
The existing exit values from device_clean(5) (missing from the current
man page -- see case directory) are insufficient to determine the type
of outcome for mounting removable media. allocate/deallocate need to
react differently to mount/umount success/failure than general success/failure.
A failed mount should not place the device in an error state. The user
should be allowed to proceed, perhaps to format and mount the device.
Solution 2:
===========
Add new exit values to device_clean. This allows allocate/deallocate
to correctly deal with setting up devices mount based on the mount status.
device_clean(5):
~~~~~~~~~~~~~~~~~~~~~~
EXIT VALUES
~ The following exit values are returned:
~
~ 0 Successful completion.
~
~ 1 An error. Caller may place device in error
~ state.
~
~ 2 A system error. Caller may place device in error
~ state.
~
+ On a system configured with Trusted Extensions, the
+ following additional exit values are returned:
+
+ 3 Mounting of device failed. Caller shall not
+ place device in error state.
+
+ 4 Mounting of device succeeded.
Problem 3:
==========
The existing device type values of device_allocate(4) are insufficient to
allow for proper operation with SunRay. SunRay operation needs to be
able to know about and manage all the devices associated with a particular
SunRay session, orthogonally to the existing device type. When a SunRay
session terminates, it needs to atomically clean up and know it is done.
When the device management GUI needs to list the devices associated
with the SunRay session, it needs to do so orthogonally to the type
of device. Furthermore, SunRay needs to keep track of which allocated
devices are associated with which display.
(When a local/console session terminates, devices remain allocated unless
the user deallocated them.)
Solution 3:
===========
Add a new key word, "class" in device_allocate(4) (key words were
introduced in PSARC/2005/691, but are missing from the current man page
-- see case directory) to the existing key words to distinguish a class
of devices. Add a new key word, "xdpy" in device_allocate(4) to the
existing key words to store an X Display name. Both new key words
are generic and are not restricted to SunRay operation. SunRay is the
first identified consumer.
add_allocatable(1M) and remove_allocatable(1M) are used to update
device_allocate(4).
device_allocate(4):
~~~~~~~~~~~~~~~~~~~~~~
DESCRIPTION
The device_allocate file contains mandatory access control
information about each physical device. Each device is
represented by a one line entry of the form:
~ device-name;device-type;reserved1;reserved2;auths;device-exec
device-type This is an arbitrary ASCII string naming the
generic device type. This field identifies
and groups together devices of like type.
This field contains no embedded white space
~ or non-printable characters. The following
~ types of devices are currently managed by the
~ system: audio, sr (represents CDROM drives),
~ fd (represents floppy drives), st (represents
~ tape drives), rmdisk (removable media devices)
~ reserved1 On systems configured with Trusted Extensions,
~ this field stores a colon-separated (:) list
~ of key-value pairs that describe device
~ allocation attributes used in Trusted
~ Extensions. Zero or more keys may be
~ specified. The following keys are currently
~ interpreted by Trusted Extensions systems:
~ minlabel Specifies the minimum label at
~ which device can be allocated.
~ Default value is admin_low.
~ maxlabel Specifies the maximum label at
~ which device can be allocated.
~ Default value is admin_high.
~ zone Specifies the name of the zone
~ in which device is currently
~ allocated.
+ class Specifies a logical grouping
+ of devices. For e.g., all Sun
+ Ray devices of all device types.
+ There is no default class.
+ xdpy Specifies the X Display name.
+ This is used to identify devices
+ associated with that X session.
+ There is no default xdpy value.
add_allocatable(1M):
~~~~~~~~~~~~~~~~~~~~~~
OPTIONS
-o key=value Accepts a string of colon-separated
key=value pairs for a device that is speci-
fied with -n or with devices of the type
that is specified with -t. The following
keys are currently interpreted by the sys-
tem:
minlabel The minimum label at which the dev-
ice can be used.
maxlabel The maximum label at which the dev-
ice can be used.
+ class Specifies a logical grouping of
+ devices. For e.g., all SunRay
+ devices of all device types. There
+ no default class specified.
+
+ xdpy Specifies the X Display name.
+ This is used to identify devices
+ associated with that X session.
+ There is no default xdpy value.
remove_allocatable(1M):
~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
| /usr/sbin/remove_allocatable [-f] [-n name | -c dev-class]
/usr/sbin/remove_allocatable [-f] [-d] -t dev-type
OPTIONS
+ -c dev-class Removes devices that belong to dev-class.
deallocate(1):
~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
| deallocate [-s] [-w] [-F] [-z zonename]
+ [-c dev-class | -g dev-type | device]
- deallocate [-s] [-w] [-F] [-z zonename] -g dev-type
deallocate [-s] [-w] [-F] [-z zonename] -I
OPTIONS
The following options are supported:
+ -c dev-class Deallocates all devices of the specified
+ device class.
list_devices(1):
~~~~~~~~~~~~~~~~~~~~~~
SYNOPSIS
list_devices [-s] [-U uid] [-z zonename] [-a]
| [-l | -n | -u] [-c dev-class | device]
DESCRIPTION
The list_devices utility lists the allocatable devices in
the system according to specified qualifications.
The device and all device special files associated with the
device are listed. The device argument is optional and, if
| it is not present, all relevant devices are listed, unless
+ dev-class is present, in which case devices belonging to the
+ specified dev-class are listed. There is no default
+ dev-class.
OPTIONS
The following options are supported:
| -l [-c dev-class | device]
Lists the pathname(s) of the device special
files associated with the device that are
| allocatable to the current process.
+ If dev-class is given, lists only the files
+ associated with all devices of the specified
+ device class.
| If device is given, lists only the files
| associated with the specified device.
| -n [-c dev-class | device]
Lists the pathname(s) of device special files
associated with the device that are allocat-
able to the current process but are not
| currently allocated.
+ If dev-class is given, lists only the files
+ associated with all devices of the specified
+ device class.
| If device is given, lists only the files
| associated with the specified device.
| -u [-c dev-class | device]
Lists the pathname(s) of device special
files, associated with the device that are
allocated to the owner of the current pro-
| cess.
+ If dev-class is given, lists only the files
+ associated with all devices of the specified
+ device class.
| If device is given, lists only the files
| associated with the specified device.
-U uid Uses the user ID uid instead of the real user
ID of the current process when performing the
list_devices operation. Only a user with the
solaris.device.revoke authorization can use
this option.
-s Silent. Suppresses any diagnostic output.
