CVS commit: src/sys

Sat, 14 Nov 2009 10:37:21 -0800 

Module Name:    src
Committed By:   elad
Date:           Sat Nov 14 18:36:57 UTC 2009

Modified Files:
        src/sys/kern: init_main.c
        src/sys/miscfs/specfs: spec_vnops.c specdev.h
        src/sys/secmodel/suser: secmodel_suser.c

Log Message:
- Move kauth_init() a little bit higher.

- Add spec_init() to authorize special device actions (and passthru too for
  the time being). Move policy out of secmodel_suser.


To generate a diff of this commit:
cvs rdiff -u -r1.408 -r1.409 src/sys/kern/init_main.c
cvs rdiff -u -r1.126 -r1.127 src/sys/miscfs/specfs/spec_vnops.c
cvs rdiff -u -r1.38 -r1.39 src/sys/miscfs/specfs/specdev.h
cvs rdiff -u -r1.30 -r1.31 src/sys/secmodel/suser/secmodel_suser.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/init_main.c
diff -u src/sys/kern/init_main.c:1.408 src/sys/kern/init_main.c:1.409
--- src/sys/kern/init_main.c:1.408	Tue Nov  3 05:23:28 2009
+++ src/sys/kern/init_main.c	Sat Nov 14 18:36:57 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: init_main.c,v 1.408 2009/11/03 05:23:28 dyoung Exp $	*/
+/*	$NetBSD: init_main.c,v 1.409 2009/11/14 18:36:57 elad Exp $	*/
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.408 2009/11/03 05:23:28 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.409 2009/11/14 18:36:57 elad Exp $");
 
 #include "opt_ddb.h"
 #include "opt_ipsec.h"
@@ -338,6 +338,11 @@
 	/* Initialize callouts, part 1. */
 	callout_startup();
 
+	/* Initialize the kernel authorization subsystem. */
+	kauth_init();
+
+	spec_init();
+
 	/* Start module system. */
 	module_init();
 
@@ -349,7 +354,6 @@
 	 * credential inheritance policy, it is needed at least before
 	 * any process is created, specifically proc0.
 	 */
-	kauth_init();
 	module_init_class(MODULE_CLASS_SECMODEL);
 
 	/* Initialize the buffer cache */

Index: src/sys/miscfs/specfs/spec_vnops.c
diff -u src/sys/miscfs/specfs/spec_vnops.c:1.126 src/sys/miscfs/specfs/spec_vnops.c:1.127
--- src/sys/miscfs/specfs/spec_vnops.c:1.126	Tue Oct  6 04:28:10 2009
+++ src/sys/miscfs/specfs/spec_vnops.c	Sat Nov 14 18:36:57 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: spec_vnops.c,v 1.126 2009/10/06 04:28:10 elad Exp $	*/
+/*	$NetBSD: spec_vnops.c,v 1.127 2009/11/14 18:36:57 elad Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -58,7 +58,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.126 2009/10/06 04:28:10 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: spec_vnops.c,v 1.127 2009/11/14 18:36:57 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/proc.h>
@@ -151,6 +151,8 @@
 const struct vnodeopv_desc spec_vnodeop_opv_desc =
 	{ &spec_vnodeop_p, spec_vnodeop_entries };
 
+static kauth_listener_t rawio_listener;
+
 /* Returns true if vnode is /dev/mem or /dev/kmem. */
 bool
 iskmemvp(struct vnode *vp)
@@ -171,6 +173,32 @@
 	return (major(dev) == mem_no && (minor(dev) < 2 || minor(dev) == 14));
 }
 
+static int
+rawio_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	int result;
+
+	result = KAUTH_RESULT_DEFER;
+
+	if ((action != KAUTH_DEVICE_RAWIO_SPEC) &&
+	    (action != KAUTH_DEVICE_RAWIO_PASSTHRU))
+		return result;
+
+	/* Access is mandated by permissions. */
+	result = KAUTH_RESULT_ALLOW;
+
+	return result;
+}
+
+void
+spec_init(void)
+{
+
+	rawio_listener = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
+	    rawio_listener_cb, NULL);
+}
+
 /*
  * Initialize a vnode that represents a device.
  */

Index: src/sys/miscfs/specfs/specdev.h
diff -u src/sys/miscfs/specfs/specdev.h:1.38 src/sys/miscfs/specfs/specdev.h:1.39
--- src/sys/miscfs/specfs/specdev.h:1.38	Tue Oct  6 04:28:11 2009
+++ src/sys/miscfs/specfs/specdev.h	Sat Nov 14 18:36:57 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: specdev.h,v 1.38 2009/10/06 04:28:11 elad Exp $	*/
+/*	$NetBSD: specdev.h,v 1.39 2009/11/14 18:36:57 elad Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -156,5 +156,6 @@
 #define	spec_putpages	genfs_putpages
 
 bool	iskmemvp(struct vnode *);
+void	spec_init(void);
 
 #endif /* _MISCFS_SPECFS_SPECDEV_H_ */

Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.30 src/sys/secmodel/suser/secmodel_suser.c:1.31
--- src/sys/secmodel/suser/secmodel_suser.c:1.30	Wed Oct  7 01:31:41 2009
+++ src/sys/secmodel/suser/secmodel_suser.c	Sat Nov 14 18:36:56 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.30 2009/10/07 01:31:41 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.31 2009/11/14 18:36:56 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.30 2009/10/07 01:31:41 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.31 2009/11/14 18:36:56 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -873,17 +873,6 @@
 		break;
 		}
 
-	case KAUTH_DEVICE_RAWIO_SPEC:
-	case KAUTH_DEVICE_RAWIO_PASSTHRU:
-		/*
-		 * Decision is root-agnostic.
-		 *
-		 * Both requests can be issued on devices subject to their
-		 * permission bits.
-		 */
-		result = KAUTH_RESULT_ALLOW;
-		break;
-
 	case KAUTH_DEVICE_GPIO_PINSET:
 		/*
 		 * root can access gpio pins, secmodel_securlevel can veto

Reply via email to