Module Name: src
Committed By: elad
Date: Sat Oct 3 00:37:02 UTC 2009
Modified Files:
src/sys/dist/ipf/netinet: ip_fil_netbsd.c
src/sys/dist/pf/net: pf_ioctl.c
src/sys/secmodel/suser: secmodel_suser.c
Log Message:
Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/dist/ipf/netinet/ip_fil_netbsd.c
cvs rdiff -u -r1.36 -r1.37 src/sys/dist/pf/net/pf_ioctl.c
cvs rdiff -u -r1.16 -r1.17 src/sys/secmodel/suser/secmodel_suser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dist/ipf/netinet/ip_fil_netbsd.c
diff -u src/sys/dist/ipf/netinet/ip_fil_netbsd.c:1.51 src/sys/dist/ipf/netinet/ip_fil_netbsd.c:1.52
--- src/sys/dist/ipf/netinet/ip_fil_netbsd.c:1.51 Wed Aug 19 08:36:10 2009
+++ src/sys/dist/ipf/netinet/ip_fil_netbsd.c Sat Oct 3 00:37:02 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_fil_netbsd.c,v 1.51 2009/08/19 08:36:10 darrenr Exp $ */
+/* $NetBSD: ip_fil_netbsd.c,v 1.52 2009/10/03 00:37:02 elad Exp $ */
/*
* Copyright (C) 1993-2003 by Darren Reed.
@@ -8,7 +8,7 @@
#if !defined(lint)
#if defined(__NetBSD__)
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_fil_netbsd.c,v 1.51 2009/08/19 08:36:10 darrenr Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_fil_netbsd.c,v 1.52 2009/10/03 00:37:02 elad Exp $");
#else
static const char sccsid[] = "@(#)ip_fil.c 2.41 6/5/96 (C) 1993-2000 Darren Reed";
static const char rcsid[] = "@(#)Id: ip_fil_netbsd.c,v 2.55.2.66 2009/05/17 17:45:26 darrenr Exp";
@@ -115,6 +115,11 @@
#if __NetBSD_Version__ < 200000000
extern struct protosw inetsw[];
#endif
+
+#if (__NetBSD_Version__ >= 599002000)
+static kauth_listener_t ipf_listener;
+#endif
+
#if (__NetBSD_Version__ < 399001400)
extern int ip6_getpmtu __P((struct route_in6 *, struct route_in6 *,
struct ifnet *, struct in6_addr *, u_long *,
@@ -300,6 +305,28 @@
}
#endif /* IPFILTER_LKM */
+#if (__NetBSD_Version__ >= 599002000)
+static int
+ipf_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ int result;
+ enum kauth_network_req req;
+
+ result = KAUTH_RESULT_DEFER;
+ req = (enum kauth_network_req)arg0;
+
+ if (action != KAUTH_NETWORK_FIREWALL)
+ return result;
+
+ /* These must have came from device context. */
+ if ((req == KAUTH_REQ_NETWORK_FIREWALL_FW) ||
+ (req == KAUTH_REQ_NETWORK_FIREWALL_NAT))
+ result = KAUTH_RESULT_ALLOW;
+
+ return result;
+}
+#endif
/*
* Try to detect the case when compiling for NetBSD with pseudo-device
@@ -453,6 +480,12 @@
#else
timeout(fr_slowtimer, NULL, (hz / IPF_HZ_DIVIDE) * IPF_HZ_MULT);
#endif
+
+#if (__NetBSD_Version__ >= 599002000)
+ ipf_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+ ipf_listener_cb, NULL);
+#endif
+
return 0;
#if __NetBSD_Version__ >= 105110000
Index: src/sys/dist/pf/net/pf_ioctl.c
diff -u src/sys/dist/pf/net/pf_ioctl.c:1.36 src/sys/dist/pf/net/pf_ioctl.c:1.37
--- src/sys/dist/pf/net/pf_ioctl.c:1.36 Mon Sep 14 10:36:50 2009
+++ src/sys/dist/pf/net/pf_ioctl.c Sat Oct 3 00:37:02 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $ */
+/* $NetBSD: pf_ioctl.c,v 1.37 2009/10/03 00:37:02 elad Exp $ */
/* $OpenBSD: pf_ioctl.c,v 1.182 2007/06/24 11:17:13 mcbride Exp $ */
/*
@@ -37,7 +37,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.36 2009/09/14 10:36:50 degroote Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pf_ioctl.c,v 1.37 2009/10/03 00:37:02 elad Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -174,6 +174,31 @@
static int pf_pfil_detach(void);
static int pf_pfil_attached;
+
+static kauth_listener_t pf_listener;
+#endif /* __NetBSD__ */
+
+#ifdef __NetBSD__
+static int
+pf_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ int result;
+ enum kauth_network_req req;
+
+ result = KAUTH_RESULT_DEFER;
+ req = (enum kauth_network_req)arg0;
+
+ if (action != KAUTH_NETWORK_FIREWALL)
+ return result;
+
+ /* These must have came from device context. */
+ if ((req == KAUTH_REQ_NETWORK_FIREWALL_FW) ||
+ (req == KAUTH_REQ_NETWORK_FIREWALL_NAT))
+ result = KAUTH_RESULT_ALLOW;
+
+ return result;
+}
#endif /* __NetBSD__ */
void
@@ -277,6 +302,11 @@
#else
kthread_create_deferred(pf_thread_create, NULL);
#endif /* !__NetBSD__ */
+
+#ifdef __NetBSD__
+ pf_listener = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
+ pf_listener_cb, NULL);
+#endif /* __NetBSD__ */
}
#ifndef __NetBSD__
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.16 src/sys/secmodel/suser/secmodel_suser.c:1.17
--- src/sys/secmodel/suser/secmodel_suser.c:1.16 Sat Oct 3 00:14:07 2009
+++ src/sys/secmodel/suser/secmodel_suser.c Sat Oct 3 00:37:01 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.16 2009/10/03 00:14:07 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.17 2009/10/03 00:37:01 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.16 2009/10/03 00:14:07 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.17 2009/10/03 00:37:01 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -738,25 +738,6 @@
}
break;
- case KAUTH_NETWORK_FIREWALL:
- switch (req) {
- case KAUTH_REQ_NETWORK_FIREWALL_FW:
- case KAUTH_REQ_NETWORK_FIREWALL_NAT:
- /*
- * Decisions are root-agnostic.
- *
- * Both requests are issued from the context of a
- * device with permission bits acting as access
- * control.
- */
- result = KAUTH_RESULT_ALLOW;
- break;
-
- default:
- break;
- }
- break;
-
case KAUTH_NETWORK_FORWSRCRT:
if (isroot)
result = KAUTH_RESULT_ALLOW;
