Add skeleton files to be used by developers interested in writing NetBSD
security models from scratch. Address issues both for in-tree integration
as well as distribution as LKMs.

Placed in the public domain.

Update secmodel_examples to better describe the secmodel(9) API.

branches: 1.1.40;
Add skeleton files to be used by developers interested in writing NetBSD
security models from scratch. Address issues both for in-tree integration
as well as distribution as LKMs.

Placed in the public domain.

Add skeleton files to be used by developers interested in writing NetBSD
security models from scratch. Address issues both for in-tree integration
as well as distribution as LKMs.

Placed in the public domain.

s/attachement/attachment/ and s/detachement/detachment/.

more strip(4) removal, this time in kauth(9)

branches: 1.28.10;
Add KAUTH_REQ_PROCESS_CANSEE_EPROC, and use it for the kern.proc node.
Same permission as before, so no functional change.

Retire ipkdb entirely. The option was removed from the config files
yesterday.

ok kamil christos

branches: 1.26.38; 1.26.40;
Update secmodel_examples to better describe the secmodel(9) API.

branches: 1.25.2;
Introduce a new kauth action, KAUTH_NETWORK_NFS, and two requests,
KAUTH_REQ_NETWORK_NFS_EXPORT and KAUTH_REQ_NETWORK_NFS_SVC, and use them
to replace two KAUTH_GENERIC_ISSUSER calls in the NFS code.

Also replace two more with KAUTH_SYSTEM_MKNOD, where appropriate.

Documetnation and examples updated. More to come.

Factor out the guts of get/setparam so it can be used from the compat code.

Make the FreeBSD and Linux compat code convert the parameters to their
native representation and call the native routines.

Remove KAUTH_PROCESS_SCHEDULER_GET/SET.

Update documentation and examples.

XXX: For now, only the Linux compat code does the priority conversion
XXX: right.

Linux priority conversion code from yamt@, thanks!

Okay yamt@.

branches: 1.23.2;
Fold KAUTH_REQ_PROCESS_SCHEDULER_* to KAUTH_PROCESS_SCHEDULER_*. In other
words, don't pass an action and a request, and just use a single action to
indicate what is the operation in question.

This is the first step in fixing PR/37986, which calls for policy/priority
checking in the secmodel code. Right now we're lacking room for another
parameter required to make a decision, and this change makes room for such.

Add, document, and use KAUTH_REQ_PROCESS_KTRACE_PERSISTENT.

Replace a KAUTH_GENERIC_ISSUSER in the cpuctl code with a proper kauth
request.

Reviewed by ad@, tested by me.

Use proper kauth(9) actions/requests for native scheduler stuff and the
recently introduced processor-sets.

Discussed with and okay rmind@, yamt@, and christos@.

Tons of process scope changes.

- Add a KAUTH_PROCESS_SCHEDULER action, to handle scheduler related
requests, and add specific requests for set/get scheduler policy and
set/get scheduler parameters.

- Add a KAUTH_PROCESS_KEVENT_FILTER action, to handle kevent(2) related
requests.

- Add a KAUTH_DEVICE_TTY_STI action to handle requests to TIOCSTI.

- Add requests for the KAUTH_PROCESS_CANSEE action, indicating what
process information is being looked at (entry itself, args, env,
open files).

- Add requests for the KAUTH_PROCESS_RLIMIT action indicating set/get.

- Add requests for the KAUTH_PROCESS_CORENAME action indicating set/get.

- Make bsd44 secmodel code handle the newly added rqeuests appropriately.

All of the above make it possible to issue finer-grained kauth(9) calls in
many places, removing some KAUTH_GENERIC_ISSUSER requests.

- Remove the "CAN" from KAUTH_PROCESS_CAN{KTRACE,PROCFS,PTRACE,SIGNAL}.

Discussed with christos@ and yamt@.

Make fork use kauth.

Been running in my tree for over a month at least.

Reviewed and okay yamt@, and special thanks to him as well as rittera@
for making this possible through fixing NDIS to not call fork1() with
l1 != curlwp.

Remove systrace. Ok core@.

s, , ,

Kill another instance of KAUTH_GENERIC_ISSUSER.

branches: 1.14.4;
Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.

arg0 is always 'struct proc *' for the process scope.

We no longer have 'enum kauth_machdep_req'.

Make mount(2) and unmount(2) use kauth(9) for security policy.

Okay yamt@.

Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.

Add requests indicating access to unmanaged memory for arm, pc532, powerpc,
sh3, sh5, and vax, and use them instead of KAUTH_GENERIC_ISSUSER.

Update documentation and example secmodel code.

- moves 'nice' access semantics to secmodel code,
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
allowed to view the target process' corename, stop flags, and
rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.

okay yamt@

this is a pullup candidate.

branches: 1.7.2;
Introduce KAUTH_REQ_MACHDEP_{ALPHA,X86}_UNMANAGEDMEM to handle access
to unmanaged memory.

These are the last two securelevel references in the MD code.

Add example listener for the device scope.
While here, sync with reality.

Introduce KAUTH_REQ_NETWORK_SOCKET_OPEN, to check if opening a socket is
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).

Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.

Documented and updated examples as well.

Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,
used to manage network interfaces.

Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.

Add a new ALTQ kauth(9) request, KAUTH_REQ_NETWORK_ALTQ_JOBS.

Introduce KAUTH_REQ_NETWORK_SOCKET_CANSEE. Since we're not gonna be having
credentials on sockets, at least not anytime soon, this is a way to check
if we can "look" at a socket. Later on when (and if) we do have socket
credentials, the interface usage remains the same because we pass the
socket.

This also fixes sysctl for inet/inet6 pcblist.

Add skeleton files to be used by developers interested in writing NetBSD
security models from scratch. Address issues both for in-tree integration
as well as distribution as LKMs.

Placed in the public domain.