Module Name: src
Committed By: elad
Date: Fri Oct 2 23:58:54 UTC 2009
Modified Files:
src/sys/kern: tty.c
src/sys/secmodel/suser: secmodel_suser.c
Log Message:
Put the tty opening policy back in the subsystem.
Remove include we don't need from the secmodel code.
To generate a diff of this commit:
cvs rdiff -u -r1.232 -r1.233 src/sys/kern/tty.c
cvs rdiff -u -r1.13 -r1.14 src/sys/secmodel/suser/secmodel_suser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/tty.c
diff -u src/sys/kern/tty.c:1.232 src/sys/kern/tty.c:1.233
--- src/sys/kern/tty.c:1.232 Sat Aug 1 23:07:05 2009
+++ src/sys/kern/tty.c Fri Oct 2 23:58:53 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: tty.c,v 1.232 2009/08/01 23:07:05 christos Exp $ */
+/* $NetBSD: tty.c,v 1.233 2009/10/02 23:58:53 elad Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -63,7 +63,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.232 2009/08/01 23:07:05 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tty.c,v 1.233 2009/10/02 23:58:53 elad Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -206,6 +206,8 @@
uint64_t tk_nout;
uint64_t tk_rawcc;
+static kauth_listener_t tty_listener;
+
SYSCTL_SETUP(sysctl_kern_tkstat_setup, "sysctl kern.tkstat subtree setup")
{
@@ -2717,6 +2719,36 @@
va_end(ap);
}
+static int
+tty_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct tty *tty;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+
+ if (action != KAUTH_DEVICE_TTY_OPEN)
+ return result;
+
+ tty = arg0;
+
+ /* If it's not opened, we allow. */
+ if ((tty->t_state & TS_ISOPEN) == 0)
+ result = KAUTH_RESULT_ALLOW;
+ else {
+ /*
+ * If it's opened, we can only allow if it's not exclusively
+ * opened; otherwise, that's a privileged operation and we
+ * let the secmodel handle it.
+ */
+ if ((tty->t_state & TS_XCLUDE) == 0)
+ result = KAUTH_RESULT_ALLOW;
+ }
+
+ return result;
+}
+
/*
* Initialize the tty subsystem.
*/
@@ -2728,6 +2760,9 @@
rw_init(&ttcompat_lock);
tty_sigsih = softint_establish(SOFTINT_CLOCK, ttysigintr, NULL);
KASSERT(tty_sigsih != NULL);
+
+ tty_listener = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
+ tty_listener_cb, NULL);
}
/*
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.13 src/sys/secmodel/suser/secmodel_suser.c:1.14
--- src/sys/secmodel/suser/secmodel_suser.c:1.13 Fri Oct 2 23:50:16 2009
+++ src/sys/secmodel/suser/secmodel_suser.c Fri Oct 2 23:58:53 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.13 2009/10/02 23:50:16 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.14 2009/10/02 23:58:53 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.13 2009/10/02 23:50:16 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.14 2009/10/02 23:58:53 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -48,7 +48,6 @@
#include <sys/mount.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
-#include <sys/tty.h>
#include <sys/vnode.h>
#include <sys/proc.h>
#include <sys/uidinfo.h>
@@ -955,7 +954,6 @@
secmodel_suser_device_cb(kauth_cred_t cred, kauth_action_t action,
void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
{
- struct tty *tty;
bool isroot;
int result;
@@ -1001,14 +999,7 @@
break;
case KAUTH_DEVICE_TTY_OPEN:
- tty = arg0;
-
- if (!(tty->t_state & TS_ISOPEN))
- result = KAUTH_RESULT_ALLOW;
- else if (tty->t_state & TS_XCLUDE) {
- if (isroot)
- result = KAUTH_RESULT_ALLOW;
- } else
+ if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
