CVS commit: src/sys/secmodel/suser

Tue, 06 Oct 2009 13:34:26 -0700 

Module Name:    src
Committed By:   elad
Date:           Tue Oct  6 20:34:22 UTC 2009

Modified Files:
        src/sys/secmodel/suser: secmodel_suser.c

Log Message:
Allow root to do things that the subsystem allows as well (unify).

This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/secmodel/suser/secmodel_suser.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.27 src/sys/secmodel/suser/secmodel_suser.c:1.28
--- src/sys/secmodel/suser/secmodel_suser.c:1.27	Mon Oct  5 04:20:13 2009
+++ src/sys/secmodel/suser/secmodel_suser.c	Tue Oct  6 20:34:22 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.27 2009/10/05 04:20:13 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.28 2009/10/06 20:34:22 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <[email protected]>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.27 2009/10/05 04:20:13 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.28 2009/10/06 20:34:22 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -304,6 +304,14 @@
 
 	case KAUTH_SYSTEM_MOUNT:
 		switch (req) {
+		case KAUTH_REQ_SYSTEM_MOUNT_GET:
+			if (isroot) {
+				result = KAUTH_RESULT_ALLOW;
+				break;
+			}
+
+			break;
+
 		case KAUTH_REQ_SYSTEM_MOUNT_NEW: {
 			struct mount *mp = ((struct vnode *)arg1)->v_mount;
 			u_long flags = (u_long)arg2;
@@ -437,6 +445,20 @@
 			result = KAUTH_RESULT_ALLOW;
 		break;
 
+	case KAUTH_SYSTEM_DEBUG:
+		switch (req) {
+		case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+
+			break;
+
+		default:
+			break;
+		}
+
+		break;
+
 	case KAUTH_SYSTEM_CHSYSFLAGS:
 		/*
 		 * Needs to be checked in conjunction with the immutable and
@@ -481,6 +503,7 @@
 	case KAUTH_PROCESS_PTRACE:
 	case KAUTH_PROCESS_SCHEDULER_GETPARAM:
 	case KAUTH_PROCESS_SCHEDULER_SETPARAM:
+	case KAUTH_PROCESS_SCHEDULER_GETAFFINITY:
 	case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
 	case KAUTH_PROCESS_SETID:
 	case KAUTH_PROCESS_KEVENT_FILTER:
@@ -600,6 +623,7 @@
 
 	case KAUTH_NETWORK_BIND:
 		switch (req) {
+		case KAUTH_REQ_NETWORK_BIND_PORT:
 		case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
 			if (isroot)
 				result = KAUTH_RESULT_ALLOW;
@@ -610,6 +634,20 @@
 		}
 		break;
 
+	case KAUTH_NETWORK_FIREWALL:
+		switch (req) {
+		case KAUTH_REQ_NETWORK_FIREWALL_FW:
+		case KAUTH_REQ_NETWORK_FIREWALL_NAT:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+
+			break;
+
+		default:
+			break;
+		}
+		break;
+
 	case KAUTH_NETWORK_FORWSRCRT:
 	case KAUTH_NETWORK_ROUTE:
 		if (isroot)
@@ -619,6 +657,8 @@
 
 	case KAUTH_NETWORK_INTERFACE:
 		switch (req) {
+		case KAUTH_REQ_NETWORK_INTERFACE_GET:
+		case KAUTH_REQ_NETWORK_INTERFACE_SET:
 		case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
 		case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
 			if (isroot)

Reply via email to