correct the descriotion if KAUTH_CRED_COPY

Noticed by Vasyl Maksym Lanko.
Bump date.

branches: 1.114.2;
kauth_cred_hold(): return cred verbatim so that donating a reference to
another data structure can be done more elegantly.

x68k now uses KAUTH_MACHDEP_UNMANAGEDMEM.

Retire ipkdb entirely. The option was removed from the config files
yesterday.

ok kamil christos

branches: 1.111.2; 1.111.4;
Remove superfluous Pp. Fix self-referencing xrefs. Improve others.

Bump date for previous.

Remove the filesystem tracing feature

This is a legacy interface from 4.4BSD, and it was
introduced to overcome shortcomings of ptrace(2) at that time, which are
no longer relevant (performance). Today /proc/#/ctl offers a narrow
subset of ptrace(2) commands and is not applicable for modern
applications use beyond simplistic tracing scenarios.

This removal will simplify kernel internals. Users will still be able to
use all the other /proc files.

This change won't affect other procfs files neither Linux compat
features within mount_procfs(8). /proc/#/ctl isn't available on Linux.

Remove:
- /proc/#/ctl from mount_procfs(8)
- P_FSTRACE note from the documentation of ps(1)
- /proc/#/ctl and filesystem tracing documentation from mount_procfs(8)
- KAUTH_REQ_PROCESS_PROCFS_CTL documentation from kauth(9)
- source code file miscfs/procfs/procfs_ctl.c
- PFSctl and procfs_doctl() from sys/miscfs/procfs/procfs.h
- KAUTH_REQ_PROCESS_PROCFS_CTL from sys/sys/kauth.h
- PSL_FSTRACE (0x00010000) from sys/sys/proc.h
- P_FSTRACE (0x00010000) from sys/sys/sysctl.h

Reduce code complexity after removal of this functionality.

Update TODO.ptrace accordingly: remove two entries about /proc tracing.

Do not keep legacy notes as comments in the headers about removed
PSL_FSTRACE / P_FSTRACE, as this interface had little number of users
(close or equal to zero).

Proposed on tech-kern@.

All filesystem tracing utility users are encouraged to switch to ptrace(2).

Sponsored by <The NetBSD Foundation>

Remove workaround for ancient HTML generation code.

branches: 1.107.4;
Use `\(em', not `--'.

Refill sentences and tweak wording where appropriate while here.

Clarify that kauth_cred_get doesn't modify with reference count.

branches: 1.105.8; 1.105.12;
Merge riastradh-drm2 to HEAD.

Use Mt for email addresses.

branches: 1.103.2; 1.103.4;

Fix documentation for function kauth_register_key (PR 46641).

Bump date for previous.

Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential scope.
Reviewed and approved by elad@.

Small typo.

Bump date for previous.
Spell "file system" like in other man pages.
Fix typos.

Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.

Use Lk macro instead of Pa when dealing with URLs, to produce links
with HTML output. And while here update some dead URL links.
First part of PR/29238.

fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@

KAUTH_GENERIC_CANSEE is no more.

GETPARAMS => GETPARAM
SETPARAMS => SETPARAM

Remove trailing whitespace. New sentence, new line.

Small improvements to kauth(9).

branches: 1.91.4;
Typo fix.

Add missing word.

Fix typographics errors.

Bump date for previous.

reduce the number of KAUTH_DEVICE_BLUETOOTH_SEND/RECV requests
by passing the packet type as an argument rather than having
a different request for each type.

(from a suggestion by mrg)

remove last usage of KAUTH_ISSUSER in bluetooth code by adding
some requests to the device scope:

KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND
KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND
KAUTH_DEVICE_BLUETOOTH_RECV_EVENT
KAUTH_DEVICE_BLUETOOTH_RECV_DATA

and a listener tied to the HCI protocol that will approve the basic
minimum to be sent and received.

handle the requests in the bsd44_suser listener by approving all
when the credential is root.

Spelling fixes.

Add and use a network scope action/request for tun(4), similar to ppp(4),
sl(4), and strip(4).

Introduce several actions/requests for authorizing file-system related
operations, specifically quota and block allocation from reserved space.

Modify ufs_quotactl() to accomodate passing "mp" earlier by vfs_busy()ing
it a little bit higher.

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/04/26/msg004936.html

Note that the umapfs request mentioned in this thread was NOT added as
there is still on-going discussion regarding the proper implementation.

Introduce actions/requests to handle authorization for ppp(4), sl(4),
strip(4), btuart(4) and bcsp(4) network interfaces and devices.

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004955.html

Remove .Pp before and after .Ss.

.Sy -> .Ss for a subsection header.

Pointed out by wiz@, thanks!

Add device scope actions for rnd(4) and use them.

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004953.html

Remove Pp before Ss.

Add a bluetooth action to the device scope and use it in netbt as a
replacement for KAUTH_GENERIC_ISSUSER.

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/04/25/msg004905.html

Bluetooth-specific authorization wrapper might come later.

Document KAUTH_REQ_NETWORK_BIND_PORT.

exec(3), not (2).

Remove a few KAUTH_GENERIC_ISSUSER in favor of more descriptive
alternatives.

Discussed on tech-kern:

http://mail-index.netbsd.org/tech-kern/2009/04/11/msg004798.html

Input from ad@, christos@, dyoung@, tsutsui@.

Okay ad@.

Provide -width for -tag lists.

branches: 1.72.2;
Remove LKMs and switch to the module framework, pass 1.

Proposed on tech-kern@.

Make kauth_cred_setgroups() signature match the const, hard reality.

branches: 1.70.2;
Introduce a new kauth action, KAUTH_NETWORK_NFS, and two requests,
KAUTH_REQ_NETWORK_NFS_EXPORT and KAUTH_REQ_NETWORK_NFS_SVC, and use them
to replace two KAUTH_GENERIC_ISSUSER calls in the NFS code.

Also replace two more with KAUTH_SYSTEM_MKNOD, where appropriate.

Documetnation and examples updated. More to come.

Factor out the guts of get/setparam so it can be used from the compat code.

Make the FreeBSD and Linux compat code convert the parameters to their
native representation and call the native routines.

Remove KAUTH_PROCESS_SCHEDULER_GET/SET.

Update documentation and examples.

XXX: For now, only the Linux compat code does the priority conversion
XXX: right.

Linux priority conversion code from yamt@, thanks!

Okay yamt@.

branches: 1.68.2;
Fold KAUTH_REQ_PROCESS_SCHEDULER_* to KAUTH_PROCESS_SCHEDULER_*. In other
words, don't pass an action and a request, and just use a single action to
indicate what is the operation in question.

This is the first step in fixing PR/37986, which calls for policy/priority
checking in the secmodel code. Right now we're lacking room for another
parameter required to make a decision, and this change makes room for such.

Add, document, and use KAUTH_REQ_PROCESS_KTRACE_PERSISTENT.

Replace a KAUTH_GENERIC_ISSUSER in the cpuctl code with a proper kauth
request.

Reviewed by ad@, tested by me.

Use proper kauth(9) actions/requests for native scheduler stuff and the
recently introduced processor-sets.

Discussed with and okay rmind@, yamt@, and christos@.

Bump date.

Tons of process scope changes.

- Add a KAUTH_PROCESS_SCHEDULER action, to handle scheduler related
requests, and add specific requests for set/get scheduler policy and
set/get scheduler parameters.

- Add a KAUTH_PROCESS_KEVENT_FILTER action, to handle kevent(2) related
requests.

- Add a KAUTH_DEVICE_TTY_STI action to handle requests to TIOCSTI.

- Add requests for the KAUTH_PROCESS_CANSEE action, indicating what
process information is being looked at (entry itself, args, env,
open files).

- Add requests for the KAUTH_PROCESS_RLIMIT action indicating set/get.

- Add requests for the KAUTH_PROCESS_CORENAME action indicating set/get.

- Make bsd44 secmodel code handle the newly added rqeuests appropriately.

All of the above make it possible to issue finer-grained kauth(9) calls in
many places, removing some KAUTH_GENERIC_ISSUSER requests.

- Remove the "CAN" from KAUTH_PROCESS_CAN{KTRACE,PROCFS,PTRACE,SIGNAL}.

Discussed with christos@ and yamt@.

Remove support for NetBSD/pc532.

Remove some old sh5 references.

Make fork use kauth.

Been running in my tree for over a month at least.

Reviewed and okay yamt@, and special thanks to him as well as rittera@
for making this possible through fixing NDIS to not call fork1() with
l1 != curlwp.

Remove systrace. Ok core@.

Add a NOTES section to the manual, indicating that kauth(9) is still under
active development and its ABI (and possibly API) may change between
NetBSD versions.

This is critical to, for example, LKMs, where there might be a case of them
being built using one version of the ABI and used on system with another.

The main concern for "ABI" here is the set of KAUTH_* actions and requests
that is (for now) an enum. This note is likely to be removed as kauth(9)
is stablized -- hopefully before NetBSD 5.0.

okay christos@

Deprecate KAUTH_REQ_SYSTEM_TIME_BACKWARDS, as it was merged into
KAUTH_REQ_SYSTEM_TIME_SYSTEM.

Refactor time modification checks and place them in the secmodel code.

okay christos@

Fix typo.

Kill another instance of KAUTH_GENERIC_ISSUSER.

use a correct type for UIO_*.

branches: 1.52.4;
Document the 'flags' parameter to kauth_cred_set/getgroups.
Fix some obvious typos in the return types and return values of these
functions.

Add a new scope, the credentials scope, which is internal to the kauth(9)
implementation and meant to be used by security models to hook credential
related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(),
kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively)
and document it.

Add specificdata to credentials, and routines to register/deregister new
"keys", as well as set/get routines. This allows security models to add
their own private data to a kauth_cred_t.

The above two, combined, allow security models to control inheritance of
their own private data in credentials which is a requirement for doing
stuff like, I dunno, capabilities?

Talk about special cases for kauth_authorize_action().

Remove extra '.El', left in previous commit.

Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.

Introduce kauth_proc_fork() to control credential inheritance.

Remove advertising clause from all of my stuff.

Make mount(2) and unmount(2) use kauth(9) for security policy.

Okay yamt@.

Make kauth_deregister_scope() and kauth_unlisten_scope() free the
passed kauth_scope_t and kauth_listener_t objects, respectively.

Okay yamt@.

Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.

Use Dv for defined values.

Fix sections in Xrefs.

Add requests indicating access to unmanaged memory for arm, pc532, powerpc,
sh3, sh5, and vax, and use them instead of KAUTH_GENERIC_ISSUSER.

Update documentation and example secmodel code.

Some changes to get rid of another KAUTH_GENERIC_ISSUSER usage:
- Make procfs_control() in procfs_ctl.c static,
- Add an argument to the above, 'pfs', for the pfsnode,
- Add another request type to KAUTH_PROCESS_CANPROCFS named
KAUTH_REQ_PROCESS_CANPROCFS_CTL (and update documentation),
- Use the above combination in a call to kauth_authorize_process().

- moves 'nice' access semantics to secmodel code,
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
allowed to view the target process' corename, stop flags, and
rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.

okay yamt@

this is a pullup candidate.

Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.

Discussed on tech-security@ and tech-kern@. Okay tls@.

branches: 1.36.2;
Move ktrace, ptrace, systrace, and procfs to use kauth(9).

First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.

Add secmodel back-end to handle each subsystem.

Introduce KAUTH_REQ_MACHDEP_{ALPHA,X86}_UNMANAGEDMEM to handle access
to unmanaged memory.

These are the last two securelevel references in the MD code.

Provide a standard authorization wrapper for the device scope.

First attempt at an examples section, and while here also add some notes
about extending kauth(9).

Sync with reality.

Avoid punctuation markup; remove pastos (?).

Use integers, not pointers to integers, for KAUTH_REQ_NETWORK_SOCKET_OPEN.

Reminded by yamt@, thanks!

Don't take chances... properly document KAUTH_NETWORK_INTERFACE. On a
second thought having that warning just in the CVS log doesn't look too
helpful. :)

Document that arg1 and arg2 for KAUTH_NETWORK_INTERFACE are optional.
Document that arg3 is optionally the interface-specific request. Should
only make sense if we pass ifnet * in arg1!

Introduce KAUTH_REQ_NETWORK_SOCKET_OPEN, to check if opening a socket is
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).

Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.

Documented and updated examples as well.

Sync documentation for KAUTH_PROCESS_CANSIGNAL with reality.

Use consistent wording.

While here, undocument converstion routines for pcred/ucred, as these are
going to be deprecated. They already are, actually, but because we exposed
them to userland so cleverly with sysctl, it may require more thinking
before actually removing them. For now, just make sure nobody relies on
these types. Or at least try...

reflect kauth uucred routine changes

thanks to Elad for reminding

Document KAUTH_NETWORK_INTERFACE arguments.

Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,
used to manage network interfaces.

Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.

Add a new ALTQ kauth(9) request, KAUTH_REQ_NETWORK_ALTQ_JOBS.

Introduce KAUTH_REQ_NETWORK_SOCKET_CANSEE. Since we're not gonna be having
credentials on sockets, at least not anytime soon, this is a way to check
if we can "look" at a socket. Later on when (and if) we do have socket
credentials, the interface usage remains the same because we pass the
socket.

This also fixes sysctl for inet/inet6 pcblist.

Use present tense for device scope, like for the others.

Some mdoc cleanup.

Implement the "device" scope.

It uses an authorization wrapper per device class on the system to
ensure type-safety.

For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.

Update documentation.

Drop trailing spaces.

Lose (void *) casts on the machdep scope authorization wrapper. Update
documentation.

Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.

Typo fix. Plural fixes.

Update kauth(9) that was forgotten in the big secmodel commit, and some
markup fixes.

Minor update for per-LWP creds.

sync with reality.

add note about how listeners should not sleep.

correct documentation wrt/KAUTH_PROCESS_CANSEE.

Sync with reality.

add KAUTH_GENERIC_CANSEE, which is like the KAUTH_PROCESS_CANSEE, only
for two kauth_cred_t rather than kauth_cred_t and struct proc *.

advise against using it in the man-page; it should be used only in cases
where we either don't have an object-specific op or when we can't easily
use one.

kauth(9) will be in netbsd 4.0.

remove kauth_cred_destroy.

branches: 1.3.2;
add a missing \ .

add kauth man-page.

branches: 1.1.2;
file kauth.9 was initially added on branch elad-kernelauth.