Module Name: src
Committed By: elad
Date: Sat Oct 3 02:01:12 UTC 2009
Modified Files:
src/sys/dev: clockctl.c
src/sys/secmodel/suser: secmodel_suser.c
Log Message:
Move clockctl policy exception back to the subsystem.
To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/dev/clockctl.c
cvs rdiff -u -r1.21 -r1.22 src/sys/secmodel/suser/secmodel_suser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/clockctl.c
diff -u src/sys/dev/clockctl.c:1.27 src/sys/dev/clockctl.c:1.28
--- src/sys/dev/clockctl.c:1.27 Sun Feb 22 13:06:59 2009
+++ src/sys/dev/clockctl.c Sat Oct 3 02:01:12 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: clockctl.c,v 1.27 2009/02/22 13:06:59 nakayama Exp $ */
+/* $NetBSD: clockctl.c,v 1.28 2009/10/03 02:01:12 elad Exp $ */
/*-
* Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: clockctl.c,v 1.27 2009/02/22 13:06:59 nakayama Exp $");
+__KERNEL_RCSID(0, "$NetBSD: clockctl.c,v 1.28 2009/10/03 02:01:12 elad Exp $");
#include "opt_ntp.h"
#include "opt_compat_netbsd.h"
@@ -47,6 +47,7 @@
#ifdef NTP
#include <sys/timex.h>
#endif /* NTP */
+#include <sys/kauth.h>
#include <sys/clockctl.h>
#ifdef COMPAT_50
@@ -64,12 +65,39 @@
nostop, notty, nopoll, nommap, nokqfilter, D_OTHER,
};
+static kauth_listener_t clockctl_listener;
+
+static int
+clockctl_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ int result;
+ enum kauth_system_req req;
+ bool device_context;
+
+ result = KAUTH_RESULT_DEFER;
+ req = (enum kauth_system_req)arg0;
+
+ if ((action != KAUTH_SYSTEM_TIME) ||
+ (req != KAUTH_REQ_SYSTEM_TIME_SYSTEM))
+ return result;
+
+ device_context = (bool)arg3;
+
+ /* Device is controlled by permissions, so allow. */
+ if (device_context)
+ result = KAUTH_RESULT_ALLOW;
+
+ return result;
+}
+
/*ARGSUSED*/
void
clockctlattach(int num)
{
- /* Nothing to set up before open is called */
- return;
+
+ clockctl_listener = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
+ clockctl_listener_cb, NULL);
}
int
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.21 src/sys/secmodel/suser/secmodel_suser.c:1.22
--- src/sys/secmodel/suser/secmodel_suser.c:1.21 Sat Oct 3 01:52:14 2009
+++ src/sys/secmodel/suser/secmodel_suser.c Sat Oct 3 02:01:12 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.22 2009/10/03 02:01:12 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.22 2009/10/03 02:01:12 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -410,19 +410,7 @@
case KAUTH_REQ_SYSTEM_TIME_ADJTIME:
case KAUTH_REQ_SYSTEM_TIME_NTPADJTIME:
case KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS:
- if (isroot)
- result = KAUTH_RESULT_ALLOW;
- break;
-
- case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
- bool device_context = (bool)arg3;
-
- if (device_context || isroot)
- result = KAUTH_RESULT_ALLOW;
-
- break;
- }
-
+ case KAUTH_REQ_SYSTEM_TIME_SYSTEM:
case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
if (isroot)
result = KAUTH_RESULT_ALLOW;
