CVS commit: src/sys/dev/dm

Thu, 23 Dec 2010 12:07:22 -0800 

Module Name:    src
Committed By:   christos
Date:           Thu Dec 23 20:07:13 UTC 2010

Modified Files:
        src/sys/dev/dm: device-mapper.c dm.h

Log Message:
Now that we have allowed operator to access the control node, make sure
that he cannot cause damage, by only allowing the superuser to do ioctls
that can cause damage.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/dev/dm/device-mapper.c
cvs rdiff -u -r1.21 -r1.22 src/sys/dev/dm/dm.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/dm/device-mapper.c
diff -u src/sys/dev/dm/device-mapper.c:1.27 src/sys/dev/dm/device-mapper.c:1.28
--- src/sys/dev/dm/device-mapper.c:1.27	Thu Dec 23 09:58:13 2010
+++ src/sys/dev/dm/device-mapper.c	Thu Dec 23 15:07:13 2010
@@ -1,4 +1,4 @@
-/*        $NetBSD: device-mapper.c,v 1.27 2010/12/23 14:58:13 mlelstv Exp $ */
+/*        $NetBSD: device-mapper.c,v 1.28 2010/12/23 20:07:13 christos Exp $ */
 
 /*
  * Copyright (c) 2010 The NetBSD Foundation, Inc.
@@ -45,6 +45,7 @@
 #include <sys/ioctl.h>
 #include <sys/ioccom.h>
 #include <sys/kmem.h>
+#include <sys/kauth.h>
 
 #include "netbsd-dm.h"
 #include "dm.h"
@@ -121,23 +122,23 @@
  * ioctl to kernel but will do another things in userspace.
  *
  */
-struct cmd_function cmd_fn[] = {
-		{ .cmd = "version", .fn = dm_get_version_ioctl},
-		{ .cmd = "targets", .fn = dm_list_versions_ioctl},
-		{ .cmd = "create",  .fn = dm_dev_create_ioctl},
-		{ .cmd = "info",    .fn = dm_dev_status_ioctl},
-		{ .cmd = "mknodes", .fn = dm_dev_status_ioctl},		
-		{ .cmd = "names",   .fn = dm_dev_list_ioctl},
-		{ .cmd = "suspend", .fn = dm_dev_suspend_ioctl},
-		{ .cmd = "remove",  .fn = dm_dev_remove_ioctl}, 
-		{ .cmd = "rename",  .fn = dm_dev_rename_ioctl},
-		{ .cmd = "resume",  .fn = dm_dev_resume_ioctl},
-		{ .cmd = "clear",   .fn = dm_table_clear_ioctl},
-		{ .cmd = "deps",    .fn = dm_table_deps_ioctl},
-		{ .cmd = "reload",  .fn = dm_table_load_ioctl},
-		{ .cmd = "status",  .fn = dm_table_status_ioctl},
-		{ .cmd = "table",   .fn = dm_table_status_ioctl},
-		{NULL, NULL}	
+static const struct cmd_function cmd_fn[] = {
+	{ .cmd = "version", .fn = dm_get_version_ioctl,	  .allowed = 1 },
+	{ .cmd = "targets", .fn = dm_list_versions_ioctl, .allowed = 1 },
+	{ .cmd = "create",  .fn = dm_dev_create_ioctl,    .allowed = 0 },
+	{ .cmd = "info",    .fn = dm_dev_status_ioctl,    .allowed = 1 },
+	{ .cmd = "mknodes", .fn = dm_dev_status_ioctl,    .allowed = 1 },
+	{ .cmd = "names",   .fn = dm_dev_list_ioctl,      .allowed = 1 },
+	{ .cmd = "suspend", .fn = dm_dev_suspend_ioctl,   .allowed = 0 },
+	{ .cmd = "remove",  .fn = dm_dev_remove_ioctl,    .allowed = 0 }, 
+	{ .cmd = "rename",  .fn = dm_dev_rename_ioctl,    .allowed = 0 },
+	{ .cmd = "resume",  .fn = dm_dev_resume_ioctl,    .allowed = 0 },
+	{ .cmd = "clear",   .fn = dm_table_clear_ioctl,   .allowed = 0 },
+	{ .cmd = "deps",    .fn = dm_table_deps_ioctl,    .allowed = 1 },
+	{ .cmd = "reload",  .fn = dm_table_load_ioctl,    .allowed = 0 },
+	{ .cmd = "status",  .fn = dm_table_status_ioctl,  .allowed = 1 },
+	{ .cmd = "table",   .fn = dm_table_status_ioctl,  .allowed = 1 },
+	{ .cmd = NULL, 	    .fn = NULL,			  .allowed = 0 }	
 };
 
 #ifdef _MODULE
@@ -382,7 +383,7 @@
  * Translate command sent from libdevmapper to func.
  */
 static int
-dm_cmd_to_fun(prop_dictionary_t dm_dict){
+dm_cmd_to_fun(prop_dictionary_t dm_dict) {
 	int i, r;
 	prop_string_t command;
 	
@@ -395,6 +396,11 @@
 		if (prop_string_equals_cstring(command, cmd_fn[i].cmd))
 			break;
 
+	if (!cmd_fn[i].allowed && 
+	    (r = kauth_authorize_generic(kauth_cred_get(),
+	    KAUTH_GENERIC_ISSUSER, NULL)) != 0)
+		return r;
+
 	if (cmd_fn[i].cmd == NULL)
 		return EINVAL;
 

Index: src/sys/dev/dm/dm.h
diff -u src/sys/dev/dm/dm.h:1.21 src/sys/dev/dm/dm.h:1.22
--- src/sys/dev/dm/dm.h:1.21	Thu Dec 23 09:58:13 2010
+++ src/sys/dev/dm/dm.h	Thu Dec 23 15:07:13 2010
@@ -1,4 +1,4 @@
-/*        $NetBSD: dm.h,v 1.21 2010/12/23 14:58:13 mlelstv Exp $      */
+/*        $NetBSD: dm.h,v 1.22 2010/12/23 20:07:13 christos Exp $      */
 
 /*
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -258,11 +258,13 @@
  * This structure is used to translate command sent to kernel driver in
  * <key>command</key>
  * <value></value>
- * to function which I can call.
+ * to function which I can call, and if the command is allowed for
+ * non-superusers.
  */
 struct cmd_function {
 	const char *cmd;
 	int  (*fn)(prop_dictionary_t);
+	int  allowed;
 };
 
 /* device-mapper */

Reply via email to