Home | History | Annotate | Download | only in kern
History log of /src/sys/kern/kern_auth.c
RevisionDateAuthorComments
 1.84  04-Oct-2023  ad kauth_cred_hold(): return cred verbatim so that donating a reference to
another data structure can be done more elegantly.
 1.83  02-Oct-2023  ad kauth_cred_groupmember(): check egid before a tedious scan of groups.
 1.82  24-Feb-2023  riastradh kern: Eliminate most __HAVE_ATOMIC_AS_MEMBAR conditionals.

I'm leaving in the conditional around the legacy membar_enters
(store-before-load, store-before-store) in kern_mutex.c and in
kern_lock.c because they may still matter: store-before-load barriers
tend to be the most expensive kind, so eliding them is probably
worthwhile on x86. (It also may not matter; I just don't care to do
measurements right now, and it's a single valid and potentially
justifiable use case in the whole tree.)

However, membar_release/acquire can be mere instruction barriers on
all TSO platforms including x86, so there's no need to go out of our
way with a bad API to conditionalize them. If the procedure call
overhead is measurable we just could change them to be macros on x86
that expand into __insn_barrier.

Discussed on tech-kern:
https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html
 1.81  09-Apr-2022  riastradh sys: Use membar_release/acquire around reference drop.

This just goes through my recent reference count membar audit and
changes membar_exit to membar_release and membar_enter to
membar_acquire -- this should make everything cheaper on most CPUs
without hurting correctness, because membar_acquire is generally
cheaper than membar_enter.
 1.80  27-Mar-2022  christos Expose groupmember as kauth_cred_groupmember and use it.
 1.79  12-Mar-2022  riastradh sys: Membar audit around reference count releases.

If two threads are using an object that is freed when the reference
count goes to zero, we need to ensure that all memory operations
related to the object happen before freeing the object.

Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one
thread takes responsibility for freeing, but it's not enough to
ensure that the other thread's memory operations happen before the
freeing.

Consider:

Thread A Thread B
obj->foo = 42; obj->baz = 73;
mumble(&obj->bar); grumble(&obj->quux);
/* membar_exit(); */ /* membar_exit(); */
atomic_dec -- not last atomic_dec -- last
/* membar_enter(); */
KASSERT(invariant(obj->foo,
obj->bar));
free_stuff(obj);

The memory barriers ensure that

obj->foo = 42;
mumble(&obj->bar);

in thread A happens before

KASSERT(invariant(obj->foo, obj->bar));
free_stuff(obj);

in thread B. Without them, this ordering is not guaranteed.

So in general it is necessary to do

membar_exit();
if (atomic_dec_uint_nv(&obj->refcnt) != 0)
return;
membar_enter();

to release a reference, for the `last one out hit the lights' style
of reference counting. (This is in contrast to the style where one
thread blocks new references and then waits under a lock for existing
ones to drain with a condvar -- no membar needed thanks to mutex(9).)

I searched for atomic_dec to find all these. Obviously we ought to
have a better abstraction for this because there's so much copypasta.
This is a stop-gap measure to fix actual bugs until we have that. It
would be nice if an abstraction could gracefully handle the different
styles of reference counting in use -- some years ago I drafted an
API for this, but making it cover everything got a little out of hand
(particularly with struct vnode::v_usecount) and I ended up setting
it aside to work on psref/localcount instead for better scalability.

I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I
only put it on things that look performance-critical on 5sec review.
We should really adopt membar_enter_preatomic/membar_exit_postatomic
or something (except they are applicable only to atomic r/m/w, not to
atomic_load/store_*, making the naming annoying) and get rid of all
the ifdefs.
 1.78  16-May-2020  christos Add ACL support for FFS. From FreeBSD.
 1.77  03-Sep-2018  riastradh Rename min/max -> uimin/uimax for better honesty.

These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.

HOWEVER! Some subsystems have

#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))

even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.

To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.

I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:

cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))

It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.

Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)
 1.76  01-Jun-2017  chs branches: 1.76.8; 1.76.10;
remove checks for failure after memory allocation calls that cannot fail:

kmem_alloc() with KM_SLEEP
kmem_zalloc() with KM_SLEEP
percpu_alloc()
pserialize_create()
psref_class_create()

all of these paths include an assertion that the allocation has not failed,
so callers should not assert that again.
 1.75  06-Oct-2015  christos Expose struct kauth_cred for the benefit of the debugger. I can't convince gcc
to produce debug info for the structure if it does not appear in more than
one source file.
 1.74  08-Aug-2015  mlelstv KASSERT that magic pointers NOCRED and FSCRED are not dereferenced.
 1.73  18-Mar-2013  plunky branches: 1.73.14;
C99 section 6.7.2.3 (Tags) Note 3 states that:

A type specifier of the form

enum identifier

without an enumerator list shall only appear after the type it
specifies is complete.

which means that we cannot pass an "enum vtype" argument to
kauth_access_action() without fully specifying the type first.
Unfortunately there is a complicated include file loop which
makes that difficult, so convert this minimal function into a
macro (and capitalize it).

(ok elad@)
 1.72  16-Sep-2012  christos PR/46973: Dr. Wolfgang Stukenbrock: kauth_authorize_action_internal() returns
non-macro value as it should do
 1.71  27-Jun-2012  cheusov branches: 1.71.2;

Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential scope.
Reviewed and approved by elad@.
 1.70  27-Jun-2012  cheusov KNF fix. space vs. tab
 1.69  27-Jun-2012  cheusov Fix a typo. s/seperate/separate/
 1.68  13-Mar-2012  elad Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
 1.67  13-Mar-2012  elad Remove TNF license.
 1.66  04-Dec-2011  jym Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.

When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:

bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;

This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.

Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.

Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.

We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).

The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.

Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.

Documentation is incoming, I am proof-reading my writings.

Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.

See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html

XXX might consider va0 mapping too.

XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
 1.65  31-Dec-2009  elad branches: 1.65.12; 1.65.16;
Tiny cosmetics...
 1.64  03-Sep-2009  elad Implement the vnode scope and adapt tmpfs to use it.

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
 1.63  16-Aug-2009  yamt kauth_cred_free: add an assertion.
 1.62  05-Apr-2009  lukem fix sign-compare issues
 1.61  15-Aug-2008  matt branches: 1.61.2; 1.61.8;
Use __arraycount when appropriate
 1.60  28-Apr-2008  martin branches: 1.60.2; 1.60.6;
Remove clause 3 and 4 from TNF licenses
 1.59  24-Apr-2008  ad branches: 1.59.2;
Merge proc::p_mutex and proc::p_smutex into a single adaptive mutex, since
we no longer need to guard against access from hardware interrupt handlers.

Additionally, if cloning a process with CLONE_SIGHAND, arrange to have the
child process share the parent's lock so that signal state may be kept in
sync. Partially addresses PR kern/37437.
 1.58  27-Mar-2008  ad branches: 1.58.2;
Replace use of CACHE_LINE_SIZE in some obvious places.
 1.57  14-Feb-2008  ad branches: 1.57.6;
Remove 'contributed to' text from the TNF license on this file, so that
it can not be complained about.
 1.56  29-Nov-2007  ad Fix minor error in previous.
 1.55  29-Nov-2007  ad Use atomics to adjust the credential reference count.
 1.54  11-Nov-2007  matt Change some initialization of static queues to compile time.
(xxx_INIT to xxx_HEAD_INITIALIZER). Drop code which inits
non-auto (global or static) variables to 0 since that's
already implied by being non-auto. Init some static/global
cpu_simple_locks at compile time.
 1.53  07-Nov-2007  ad Merge from vmlocking:

- pool_cache changes.
- Debugger/procfs locking fixes.
- Other minor changes.
 1.52  23-Sep-2007  yamt branches: 1.52.4; 1.52.6;
use a correct type for UIO_*.
 1.51  06-Jul-2007  dsl branches: 1.51.6; 1.51.8;
Fix the other inverted test as well.
 1.50  06-Jul-2007  dsl Fix intverted test, should fix nfs and hp700 issues.
 1.49  30-Jun-2007  dsl Add a flags parameter to kauth_cred_get/setgroups() so that sys_set/setgroups
can copy directly to/from userspace.
Avoids exposing the implementation of the group list as an array to code
outside kern_auth.c.
compat code and man page need updating.
 1.48  23-Jun-2007  dsl Simplify the interfaces needed for sys_setgroups() and sys_getgroups().
Exposed that the kauth code holds groups in an array, but removes some
of the knowledge of the maximum number of groups.
Allows the syscall code to copyin/out directly to/from the cred structure,
this save a lot of faffing about with malloc/free even when compat code
has to use 16bit groups.
 1.47  12-Mar-2007  ad branches: 1.47.2;
Pass an ipl argument to pool_init/POOL_INIT to be used when initializing
the pool's lock.
 1.46  24-Feb-2007  christos branches: 1.46.4;
Revert the kauth_impl.h change. Elad is going to maintain this. Asked by core@
 1.45  18-Feb-2007  dsl The pre-kauth 'struct ucread' and 'struct pcred' are now only used in the
(depracted some time ago) 'struct kinfo_proc' returned by sysctl.
Move the definitions to sys/syctl.h and rename in order to ensure all the
users are located.
 1.44  09-Feb-2007  ad branches: 1.44.2;
Merge newlock2 to head.
 1.43  07-Feb-2007  elad Add comment referring to kvm_proc.c.
 1.42  31-Jan-2007  elad Fix notify only logic for credentials scope. Thanks ad@!
 1.41  31-Jan-2007  elad Add a new scope, the credentials scope, which is internal to the kauth(9)
implementation and meant to be used by security models to hook credential
related operations (init, fork, copy, free -- hooked in kauth_cred_alloc(),
kauth_proc_fork(), kauth_cred_clone(), and kauth_cred_free(), respectively)
and document it.

Add specificdata to credentials, and routines to register/deregister new
"keys", as well as set/get routines. This allows security models to add
their own private data to a kauth_cred_t.

The above two, combined, allow security models to control inheritance of
their own private data in credentials which is a requirement for doing
stuff like, I dunno, capabilities?
 1.40  26-Jan-2007  elad No need to include acct.h, sysctl.h, and time.h.
 1.39  16-Jan-2007  elad Introduce secmodel_register() and secmodel_deregister() (for now left
undocumented) and change logic in kauth_authorize_action() to only
allow an action if it wasn't explicitly allowed/denied and there are no
secmodels loaded.

Okay yamt@.
 1.38  15-Jan-2007  elad Introduce kauth_proc_fork() to control credential inheritance.
 1.37  09-Jan-2007  elad Remove advertising clause from all of my stuff.
 1.36  01-Jan-2007  elad Make kauth_deregister_scope() and kauth_unlisten_scope() free the
passed kauth_scope_t and kauth_listener_t objects, respectively.

Okay yamt@.
 1.35  26-Dec-2006  elad Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
 1.34  23-Dec-2006  ad Allocate space for scopes and listeners with kmem. Ok elad@.
 1.33  02-Dec-2006  elad Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.

Discussed on tech-security@ and tech-kern@. Okay tls@.
 1.32  19-Nov-2006  elad branches: 1.32.2;
Provide a standard authorization wrapper for the device scope.
 1.31  04-Nov-2006  elad Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o
requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU.

Expose iskmemdev() through sys/conf.h.

okay yamt@
 1.30  01-Nov-2006  yamt remove some __unused from function parameters.
 1.29  22-Oct-2006  pooka kauth_cred_uucvt() -> kauth_uucred_to_cred(), introduce kauth_cred_to_uucred()

per tech-kern proposal
 1.28  22-Oct-2006  elad Remove todo that has been documented for a long time now.
 1.27  12-Oct-2006  christos - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
 1.26  02-Oct-2006  elad Move the kauth_init() call above auto-configuration; this will fix some
recent bugs introduced with the usage of kauth(9) in MD/device code.

While here, change the sanity checks to KASSERT(), because they're really
bugs we should fix if triggered.
 1.25  30-Sep-2006  elad Implement the "device" scope.

It uses an authorization wrapper per device class on the system to
ensure type-safety.

For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.

Update documentation.
 1.24  19-Sep-2006  elad Lose (void *) casts on the machdep scope authorization wrapper. Update
documentation.
 1.23  19-Sep-2006  elad Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.

While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).

Update documentation.
 1.22  15-Sep-2006  elad branches: 1.22.2;
Introduce a new flag we mark as TRUE when we load listeners, and change
the logic in kauth_authorize_action() to use it.

When we try to authorize a request and the flag is FALSE, it means a
kernel was compiled with no listeners (or we're in very early boot stages),
and we always allow the request because it's likely to be coming from the
kernel itself or from loading an LKM with the security model (later on).

Assert that if the "listeners have been loaded" flag is FALSE, there are
really no listeners for the scope we're authorizing on.

When the flag is TRUE (ie., listeners have been loaded) but they were
later removed, creating a scope with no listeners, the request will be
denied further down.

This allows us to have the security model compiled outside the NetBSD
kernel and later loaded as an LKM, without fearing an attack will just
remove listeners we loaded earlier to create a "fail open" situation.

Input from yamt@, thorpej@, gdt@, dan@.
Okay yamt@, thorpej@.
 1.21  14-Sep-2006  yamt kauth_register_scope: don't leak a listener
when no default listener is specified.
 1.20  08-Sep-2006  elad branches: 1.20.2;
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
 1.19  08-Sep-2006  elad First take at security model abstraction.

- Add a few scopes to the kernel: system, network, and machdep.

- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.

- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.

- Update all relevant documentation.

- Add some code and docs to help folks who want to actually use this stuff:

* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.

This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...

* And of course, documentation describing how to do the above for quick
reference, including code samples.

All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:

http://kauth.linbsd.org/kauthwiki

NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:

- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.

(or if you feel you have to, contact me first)

This is still work in progress; It's far from being done, but now it'll
be a lot easier.

Relevant mailing list threads:

http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html

Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).

Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.

Happy birthday Randi! :)
 1.18  02-Sep-2006  elad branches: 1.18.2;
Short-circuit calls to kauth_authorize_action() for a scope withtout any
listeners to always return "allow".

The idea is that it's not entirely unlikely that some vendors, or users,
will decide to load the security model as an LKM, and that can only
happen after at least mounting local file-systems. If we would not have
this fast-path, all authorization requests would be denied.

okay christos@
 1.17  20-Aug-2006  christos From Elad:

Attached diff short-circuits kauth_authorize_action() if the request
comes from the kernel (NOCRED or FSCRED).

okay matt@
 1.16  16-Aug-2006  christos Pretending to be Elad's keyboard:

Attached diff let's call kauth_register_scope() with a NULL default
listener. from tn2127:

"callback is the address of the listener callback function for this
scope; this becomes the scope's default listener. This parameter may be
NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is
assumed."
 1.15  26-Jul-2006  elad branches: 1.15.2;
make the sleepable assertion in #if 0 (with commented out LOCKDEBUG for
later) until we sort that stuff out.
 1.14  23-Jul-2006  ad Use the LWP cached credentials where sane.
 1.13  22-Jul-2006  elad if LOCKDEBUG, assert that we can sleep in kauth_authorize_action().
discussed with yamt@ on tech-kern.
 1.12  17-Jul-2006  ad - Don't cast kauth_cred_t to (struct ucred *), just set pc_ucred = NULL.
- Fill ucred::cr_ref.
 1.11  17-Jul-2006  ad - Only acquire cr_lock when changing cr_refcnt.
- When freeing, test the value of cr_refcnt from inside the lock perimiter.
- Change some uint16_t/uint32_t types to u_int.
- KASSERT(cr_refcnt > 0) in appropriate places.
- KASSERT(cr_refcnt == 1) when changing the credential.
 1.10  16-Jul-2006  elad add KAUTH_GENERIC_CANSEE, which is like the KAUTH_PROCESS_CANSEE, only
for two kauth_cred_t rather than kauth_cred_t and struct proc *.

advise against using it in the man-page; it should be used only in cases
where we either don't have an object-specific op or when we can't easily
use one.
 1.9  15-Jul-2006  yamt kauth_cred_setgroups: fix an assertion.
 1.8  13-Jun-2006  dyoung branches: 1.8.4;
The UID_MAX limit is not enforced by syscalls such as setreuid(2),
so I remove the assertion uid >= 0 && uid <= UID_MAX. This squashes
a bug where Quagga would panic my machine by passing a UID outside
the range [0, UID_MAX].

AFAICT, this restores the historical (pre-kauth) behavior.

It is likely that GIDs do not satisfy the assertion gid >= 0 &&
gid <= GID_MAX, so remove that, too.

Patch from elad.
 1.7  13-Jun-2006  yamt remove unnecessary arguments from kauth_authorize_process.
ie. make it similar to the one found in apple TN.
 1.6  28-May-2006  yamt branches: 1.6.2;
make some internal variables static.
 1.5  28-May-2006  yamt remove kauth_cred_destroy, which isn't used anymore. ok'ed by Elad Efrat.
 1.4  24-May-2006  yamt kauth_cred_uucmp: fix inversed return code. PR/33546 from Juan RP.
 1.3  23-May-2006  yamt branches: 1.3.2; 1.3.4;
KNF. wrap a long line.
 1.2  14-May-2006  elad branches: 1.2.2;
add kauth backend.
 1.1  07-Mar-2006  elad branches: 1.1.2;
file kern_auth.c was initially added on branch elad-kernelauth.
 1.1.2.27  19-Apr-2006  elad re-add kern_auth.c and kauth.h lost in commit storm
 1.1.2.26  19-Apr-2006  elad sync with head.
 1.1.2.25  13-Apr-2006  elad Deprecate use of CURTAIN() where it's easy -- now it's done via kauth(9),
process scope, CANSEE.
 1.1.2.24  14-Mar-2006  elad Some cleanup...

Add kauth_cred_[sg]etgroups(), and remove kauth_cred_{add,del}group().
Don't sort the groups when adding them; the caller should do this for
us. This maintains same behavior.
And since we're no longer sorting our groups, revert back to the simple
linear search, as suggested by yamt@.
 1.1.2.23  12-Mar-2006  elad The group list we keep in kauth_cred_t is always sorted, so use binary
search for kauth_cred_ismember_gid().
 1.1.2.22  12-Mar-2006  elad Rename kauth_cred_compare() to kauth_cred_uucmp(), and kauth_cred_convert()
to kauth_cred_uucvt(). This makes it clearer that we're working on struct
uucred.

Inspired by comments from yamt@.
 1.1.2.21  12-Mar-2006  elad Make kauth_cred_uidmatch() static.
 1.1.2.20  12-Mar-2006  elad We no longer need kauth_cred_memcmp().
 1.1.2.19  11-Mar-2006  elad When calling kauth_cred_ismember_gid(), don't return the error code if
there is one, just treat it as if the check failed.

Pointed out by thorpej@.
 1.1.2.18  11-Mar-2006  elad Declare i in the appropriate scope, and the array is cr_groups... err...
 1.1.2.17  11-Mar-2006  elad Get rid of the memcmp() call in kauth_cred_compare(), and just iterate
over the groups in the struct uucred and check each of them with a call
to kauth_cred_ismember_gid().
 1.1.2.16  11-Mar-2006  elad kauth_cred_groupmember() -> kauth_cred_ismember_gid(), as requested by
thorpej@ to conform to the Darwin KPI.
 1.1.2.15  11-Mar-2006  elad Remove no longer used kauth_cred_setngroups().
 1.1.2.14  10-Mar-2006  elad Get rid of kauth_cred_zero().
 1.1.2.13  10-Mar-2006  elad Some cleanup.

kauth_cred_setrefcnt() was only called after kauth_cred_convert() in NFS
code to convert a struct uucred to kauth_cred_t. Since there's no valid
use for such a function, make kauth_cred_convert() set the reference
count to 1 and eliminate the need for kauth_cred_setrefcnt() entirely.

Motivated by comments from yamt@ and thorpej@.
 1.1.2.12  10-Mar-2006  elad generic_authorize() -> kauth_authorize_generic().
 1.1.2.11  10-Mar-2006  elad process_authorize() -> kauth_authorize_process(), to be closer to the
original and as requested by yamt@ and thorpej@.
 1.1.2.10  09-Mar-2006  elad No need to zero before pool_put().
 1.1.2.9  09-Mar-2006  elad Namespace cleanup, as requested by yamt@.
 1.1.2.8  08-Mar-2006  elad Fix some issues with set-id binaries.
 1.1.2.7  08-Mar-2006  elad Better handling of unlocking before pool_put().
 1.1.2.6  08-Mar-2006  elad Correct usage for kauth_cred_uidmatch().
 1.1.2.5  08-Mar-2006  elad Implement kauth_cred_get() as suggested by thorpej@.
 1.1.2.4  08-Mar-2006  elad Fix some locking violations.
 1.1.2.3  08-Mar-2006  elad Another locking issue missed in previous commit...
 1.1.2.2  08-Mar-2006  elad Fix some lock usage.
 1.1.2.1  07-Mar-2006  elad Add kernel authorization routines.
 1.2.2.1  19-Jun-2006  chap Sync with head.
 1.3.4.2  24-May-2006  tron Merge 2006-05-24 NetBSD-current into the "peter-altq" branch.
 1.3.4.1  23-May-2006  tron file kern_auth.c was added on branch peter-altq on 2006-05-24 15:50:40 +0000
 1.3.2.6  14-Sep-2006  yamt sync with head.
 1.3.2.5  03-Sep-2006  yamt sync with head.
 1.3.2.4  11-Aug-2006  yamt sync with head
 1.3.2.3  26-Jun-2006  yamt sync with head.
 1.3.2.2  24-May-2006  yamt sync with head.
 1.3.2.1  23-May-2006  yamt file kern_auth.c was added on branch yamt-pdpolicy on 2006-05-24 10:58:40 +0000
 1.6.2.2  01-Jun-2006  kardel Sync with head.
 1.6.2.1  28-May-2006  kardel file kern_auth.c was added on branch simonb-timecounters on 2006-06-01 22:38:07 +0000
 1.8.4.9  27-Feb-2008  yamt sync with head.
 1.8.4.8  07-Dec-2007  yamt sync with head
 1.8.4.7  15-Nov-2007  yamt sync with head.
 1.8.4.6  27-Oct-2007  yamt sync with head.
 1.8.4.5  03-Sep-2007  yamt sync with head.
 1.8.4.4  26-Feb-2007  yamt sync with head.
 1.8.4.3  30-Dec-2006  yamt sync with head.
 1.8.4.2  21-Jun-2006  yamt sync with head.
 1.8.4.1  13-Jun-2006  yamt file kern_auth.c was added on branch yamt-lazymbuf on 2006-06-21 15:09:37 +0000
 1.15.2.2  24-Aug-2006  tron Pull up following revision(s) (requested by elad in ticket #42):
sys/kern/kern_auth.c: revision 1.17
From Elad:
Attached diff short-circuits kauth_authorize_action() if the request
comes from the kernel (NOCRED or FSCRED).
okay matt@
 1.15.2.1  21-Aug-2006  tron Pull up following revision(s) (requested by elad in ticket #33):
sys/kern/kern_auth.c: revision 1.16
Pretending to be Elad's keyboard:
Attached diff let's call kauth_register_scope() with a NULL default
listener. from tn2127:
"callback is the address of the listener callback function for this
scope; this becomes the scope's default listener. This parameter may be
NULL, in which case a callback that always returns KAUTH_RESULT_DEFER is
assumed."
 1.18.2.7  09-Feb-2007  ad Sync with HEAD.
 1.18.2.6  09-Feb-2007  ad Split the definition of "struct kauth_cred" out into sys/kauth_impl.h.

Ok core@.
 1.18.2.5  05-Feb-2007  yamt kauth_cred_free: don't forget to destroy mutex.
 1.18.2.4  04-Feb-2007  ad Replace simplelocks.

XXX Needs thought, as kauth complicates lock ordering slightly, and has
complications surrounding the lifetime of credentials if listeners are
permitted to sleep.
 1.18.2.3  01-Feb-2007  ad Sync with head.
 1.18.2.2  12-Jan-2007  ad Sync with head.
 1.18.2.1  18-Nov-2006  ad Sync with head.
 1.20.2.2  09-Sep-2006  rpaulo sync with head
 1.20.2.1  08-Sep-2006  rpaulo file kern_auth.c was added on branch rpaulo-netinet-merge-pcb on 2006-09-09 02:57:15 +0000
 1.22.2.2  10-Dec-2006  yamt sync with head.
 1.22.2.1  22-Oct-2006  yamt sync with head
 1.32.2.4  07-Jan-2007  bouyer Pull up following revision(s) (requested by elad in ticket #339):
sys/kern/kern_auth.c: revision 1.34
Allocate space for scopes and listeners with kmem. Ok elad@.
 1.32.2.3  06-Jan-2007  bouyer Pull up following revision(s) (requested by elad in ticket #322):
share/man/man9/kauth.9: revision 1.44
sys/kern/kern_auth.c: revision 1.36
Make kauth_deregister_scope() and kauth_unlisten_scope() free the
passed kauth_scope_t and kauth_listener_t objects, respectively.
Okay yamt@.
 1.32.2.2  06-Jan-2007  bouyer Pull up following revision(s) (requested by elad in ticket #316):
share/examples/secmodel/secmodel_example.c: revision 1.10 via patch
sys/arch/i386/i386/sys_machdep.c: revision 1.79
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.31
share/man/man9/secmodel_bsd44.9: revision 1.9
sys/arch/vax/vax/mem.c: revision 1.34 via patch
sys/arch/sh3/sh3/mem.c: revision 1.23 via patch
sys/arch/sh5/sh5/mem.c: revision 1.14 via patch
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.22 via patch
sys/arch/powerpc/powerpc/mem.c: revision 1.27 via patch
sys/arch/x86/x86/x86_machdep.c: revision 1.5
sys/arch/alpha/alpha/machdep.c: revision 1.291
sys/arch/arm/arm32/mem.c: revision 1.17 via patch
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.20
sys/sys/kauth.h: revision 1.29 via patch
sys/arch/amd64/amd64/sys_machdep.c: revision 1.10
share/man/man9/kauth.9: revision 1.43 via patch
sys/arch/xen/i386/sys_machdep.c: revision 1.10
sys/kern/kern_auth.c: revision 1.35
sys/arch/pc532/pc532/mem.c: revision 1.43 via patch
Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
 1.32.2.1  04-Dec-2006  tron Pull up following revision(s) (requested by elad in ticket #247):
sys/dev/ic/dpt.c: revision 1.55
sys/dev/pci/amr.c: revision 1.43
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.19
sys/dev/pci/mly.c: revision 1.33
share/man/man9/kauth.9: revision 1.37
sys/dev/ic/mlx.c: revision 1.49
sys/dev/ic/icp_ioctl.c: revision 1.14
sys/dev/i2o/iop.c: revision 1.62
sys/dev/pci/twe.c: revision 1.82
sys/sys/kauth.h: revision 1.25
sys/dev/i2o/dpti.c: revision 1.31
sys/kern/kern_auth.c: revision 1.33
sys/dev/tc/stic.c: revision 1.37
Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.
Discussed on tech-security@ and tech-kern@. Okay tls@.
 1.44.2.2  24-Mar-2007  yamt sync with head.
 1.44.2.1  27-Feb-2007  yamt - sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
 1.46.4.5  09-Oct-2007  ad Sync with head.
 1.46.4.4  01-Sep-2007  ad Use pool_cache for allocating a few more types of objects.
 1.46.4.3  15-Jul-2007  ad Sync with head.
 1.46.4.2  21-Mar-2007  ad GC the simplelock/spinlock debugging stuff.
 1.46.4.1  13-Mar-2007  ad Sync with head.
 1.47.2.1  11-Jul-2007  mjf Sync with head.
 1.51.8.4  23-Mar-2008  matt sync with HEAD
 1.51.8.3  09-Jan-2008  matt sync with HEAD
 1.51.8.2  08-Nov-2007  matt sync with -HEAD
 1.51.8.1  06-Nov-2007  matt sync with HEAD
 1.51.6.4  03-Dec-2007  joerg Sync with HEAD.
 1.51.6.3  14-Nov-2007  joerg Sync with HEAD.
 1.51.6.2  11-Nov-2007  joerg Sync with HEAD.
 1.51.6.1  02-Oct-2007  joerg Sync with HEAD.
 1.52.6.3  18-Feb-2008  mjf Sync with HEAD.
 1.52.6.2  08-Dec-2007  mjf Sync with HEAD.
 1.52.6.1  19-Nov-2007  mjf Sync with HEAD.
 1.52.4.1  13-Nov-2007  bouyer Sync with HEAD
 1.57.6.3  28-Sep-2008  mjf Sync with HEAD.
 1.57.6.2  02-Jun-2008  mjf Sync with HEAD.
 1.57.6.1  03-Apr-2008  mjf Sync with HEAD.
 1.58.2.1  18-May-2008  yamt sync with head.
 1.59.2.5  11-Mar-2010  yamt sync with head
 1.59.2.4  16-Sep-2009  yamt sync with head
 1.59.2.3  19-Aug-2009  yamt sync with head.
 1.59.2.2  04-May-2009  yamt sync with head.
 1.59.2.1  16-May-2008  yamt sync with head.
 1.60.6.1  19-Oct-2008  haad Sync with HEAD.
 1.60.2.1  18-Sep-2008  wrstuden Sync with wrstuden-revivesa-base-2.
 1.61.8.1  13-May-2009  jym Sync with HEAD.

Commit is split, to avoid a "too many arguments" protocol error.
 1.61.2.1  28-Apr-2009  skrll Sync with HEAD.
 1.65.16.2  05-Apr-2012  mrg sync to latest -current.
 1.65.16.1  18-Feb-2012  mrg merge to -current.
 1.65.12.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.65.12.2  30-Oct-2012  yamt sync with head
 1.65.12.1  17-Apr-2012  yamt sync with head
 1.71.2.3  03-Dec-2017  jdolecek update from HEAD
 1.71.2.2  23-Jun-2013  tls resync from head
 1.71.2.1  20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.73.14.3  28-Aug-2017  skrll Sync with HEAD
 1.73.14.2  27-Dec-2015  skrll Sync with HEAD (as of 26th Dec)
 1.73.14.1  22-Sep-2015  skrll Sync with HEAD
 1.76.10.1  10-Jun-2019  christos Sync with HEAD
 1.76.8.1  06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)

RSS XML Feed