| History log of /src/sys/secmodel |
| Revision | Date | Author | Comments |
| 1.5 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.4 | 02-Oct-2009 |
elad | branches: 1.4.12; 1.4.16;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.3 | 14-Aug-2009 |
mbalmer | Add support for multi-position electro-mechanical keylocks. An example
driver, gpiolock(4), is provided as an example how to interface real hardware.
A new securemodel, securemodel_keylock, is provided to show how this can
be used to tie keylocks to overall system security. This is experimental
code. The diff has been on tech-kern for several weeks.
Reviewed by many, kauth(9) integration reviewed by Elad Efrat; approved by
tonnerre@ and tron@. Thanks to everyone who provided feedback.
|
| 1.2 | 21-Nov-2007 |
elad | branches: 1.2.18;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.10; 1.1.30; 1.1.32; 1.1.36; 1.1.38;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.38.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.1.36.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.1.32.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.1.30.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.1.10.3 | 07-Dec-2007 |
yamt | sync with head
|
| 1.1.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.1.10.1 | 08-Sep-2006 |
yamt | file files.secmodel was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file files.secmodel was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.18.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.2.18.1 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.4.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.4.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.2 | 04-Nov-2014 |
maxv | Do not release secmodels_lock when it is not held.
Sent on tech-kern@, ok lars@
|
| 1.1 | 04-Dec-2011 |
jym | branches: 1.1.4; 1.1.6; 1.1.10; 1.1.26;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.1.26.1 | 07-Nov-2014 |
martin | Pull up following revision(s) (requested by maxv in ticket #180):
sys/secmodel/secmodel.c: revision 1.2
Do not release secmodels_lock when it is not held.
Sent on tech-kern@, ok lars@
|
| 1.1.10.1 | 03-Dec-2017 |
jdolecek | update from HEAD
|
| 1.1.6.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.6.1 | 04-Dec-2011 |
yamt | file secmodel.c was added on branch yamt-pagecache on 2012-04-17 00:08:50 +0000
|
| 1.1.4.2 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.1.4.1 | 04-Dec-2011 |
mrg | file secmodel.c was added on branch jmcneill-usbmp on 2012-02-18 07:35:46 +0000
|
| 1.5 | 14-Feb-2020 |
riastradh | Provide necessary forward declarations or includes.
|
| 1.4 | 04-Dec-2011 |
jym | branches: 1.4.48; 1.4.54;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.3 | 02-Oct-2009 |
elad | branches: 1.3.10; 1.3.14;
Remove secmodel.h, forgotten in previous commit:
http://mail-index.netbsd.org/source-changes/2009/10/02/msg001437.html
|
| 1.2 | 09-Jan-2007 |
elad | branches: 1.2.44;
Remove advertising clause from all of my stuff.
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.10;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.10.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.1.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.1.10.1 | 08-Sep-2006 |
yamt | file secmodel.h was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.1.6.2 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file secmodel.h was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.44.1 | 11-Mar-2010 |
yamt | sync with head
|
| 1.3.14.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.3.10.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.4.54.1 | 29-Feb-2020 |
ad | Sync with head.
|
| 1.4.48.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.7 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.6 | 04-Dec-2011 |
jym | branches: 1.6.48;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.5 | 02-Oct-2009 |
elad | branches: 1.5.12; 1.5.16;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.4 | 16-Jan-2007 |
elad | branches: 1.4.44;
Implement secmodel_bsd44_start(), secmodel_bsd44_stop(), and
secmodel_overlay_start().
|
| 1.3 | 09-Jan-2007 |
elad | Remove advertising clause from all of my stuff.
|
| 1.2 | 02-Jan-2007 |
elad | Add prototypes for the sysctl(9) setup routines for LKMs only.
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.10;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.10.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.1.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.1.10.1 | 08-Sep-2006 |
yamt | file bsd44.h was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.1.6.3 | 01-Feb-2007 |
ad | Sync with head.
|
| 1.1.6.2 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file bsd44.h was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.4.44.1 | 11-Mar-2010 |
yamt | sync with head
|
| 1.5.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.5.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.6.48.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.4 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.3 | 02-Oct-2009 |
elad | branches: 1.3.12; 1.3.16;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.2 | 21-Nov-2007 |
elad | branches: 1.2.18;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.10; 1.1.30; 1.1.32; 1.1.36; 1.1.38;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.38.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.1.36.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.1.32.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.1.30.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.1.10.3 | 07-Dec-2007 |
yamt | sync with head
|
| 1.1.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.1.10.1 | 08-Sep-2006 |
yamt | file files.bsd44 was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file files.bsd44 was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.18.1 | 11-Mar-2010 |
yamt | sync with head
|
| 1.3.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.3.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.17 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.16 | 25-Feb-2014 |
pooka | branches: 1.16.30;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.15 | 04-Dec-2011 |
jym | branches: 1.15.6; 1.15.10;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.14 | 28-Nov-2011 |
jym | branches: 1.14.2;
The secmodel(9)s init, start and stop routines are managed by each
secmodel module(7), so there is no point in calling suser/securelevel
routines from bsd44. This leads to unwanted cross-secmodel dependencies.
Do not call secmodel_bsd44_init() from secmodel_overlay_init(). Doing so
resets all curtain/securelevel values, which is not really needed when
loading an overlay filter.
Remove the secmodel_register/deregister comments, they will be
implemented differently in an upcoming patch.
ok elad@ (via private mail).
|
| 1.13 | 02-Oct-2009 |
elad | branches: 1.13.12;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.12 | 03-May-2009 |
elad | Move dovfsusermount to secmodel_bsd44, where it really belongs.
The secmodel code now creates the same knob in two places: both under the
secmodel itself, as well as the widely known location.
Mailing list references:
http://mail-index.netbsd.org/source-changes/2009/05/02/msg220641.html
http://mail-index.netbsd.org/tech-kern/2009/05/03/msg005015.html
|
| 1.11 | 21-Nov-2007 |
elad | branches: 1.11.18; 1.11.32;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.10 | 16-Jan-2007 |
elad | branches: 1.10.18; 1.10.20; 1.10.24; 1.10.26;
Use secmodel_register() and secmodel_deregister().
|
| 1.9 | 16-Jan-2007 |
elad | Implement secmodel_bsd44_start(), secmodel_bsd44_stop(), and
secmodel_overlay_start().
|
| 1.8 | 09-Jan-2007 |
elad | Remove advertising clause from all of my stuff.
|
| 1.7 | 02-Jan-2007 |
elad | Don't compile secmodel_start() if built as an LKM.
|
| 1.6 | 02-Jan-2007 |
elad | Make the securelevel contained by not exposing the variable that keeps
it outside secmodel_bsd44_securelevel.c.
|
| 1.5 | 31-Dec-2006 |
elad | Explicitly 'extern int securelevel;' in the sysctl(9) setup routine.
|
| 1.4 | 06-Oct-2006 |
elad | branches: 1.4.2; 1.4.6;
Create 'security.curtain' for documentation compatibility.
|
| 1.3 | 17-Sep-2006 |
elad | branches: 1.3.2;
Make the sysctl warnings on dmesg ("..returned 17") go away, after many
people didn't like them.
|
| 1.2 | 08-Sep-2006 |
elad | branches: 1.2.2;
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
|
| 1.1 | 08-Sep-2006 |
elad | First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.2.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.2.2.1 | 08-Sep-2006 |
yamt | file secmodel_bsd44.c was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.3.2.1 | 22-Oct-2006 |
yamt | sync with head
|
| 1.4.6.4 | 07-Dec-2007 |
yamt | sync with head
|
| 1.4.6.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.4.6.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.4.6.1 | 06-Oct-2006 |
yamt | file secmodel_bsd44.c was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.4.2.4 | 01-Feb-2007 |
ad | Sync with head.
|
| 1.4.2.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.4.2.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.4.2.1 | 06-Oct-2006 |
ad | file secmodel_bsd44.c was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.10.26.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.10.24.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.10.20.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.10.18.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.11.32.1 | 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
| 1.11.18.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.11.18.1 | 04-May-2009 |
yamt | sync with head.
|
| 1.13.12.2 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.13.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.14.2.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.15.10.1 | 18-May-2014 |
rmind | sync with head
|
| 1.15.6.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.16.30.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.6 | 02-Oct-2009 |
elad | First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.5 | 03-May-2009 |
elad | Move dovfsusermount to secmodel_bsd44, where it really belongs.
The secmodel code now creates the same knob in two places: both under the
secmodel itself, as well as the widely known location.
Mailing list references:
http://mail-index.netbsd.org/source-changes/2009/05/02/msg220641.html
http://mail-index.netbsd.org/tech-kern/2009/05/03/msg005015.html
|
| 1.4 | 21-Nov-2007 |
elad | branches: 1.4.18; 1.4.32;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.3 | 09-Jan-2007 |
elad | branches: 1.3.18; 1.3.20; 1.3.24; 1.3.26;
Remove advertising clause from all of my stuff.
|
| 1.2 | 08-Sep-2006 |
elad | branches: 1.2.2; 1.2.6; 1.2.10;
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
|
| 1.1 | 08-Sep-2006 |
elad | First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.2.10.4 | 07-Dec-2007 |
yamt | sync with head
|
| 1.2.10.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.2.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.2.10.1 | 08-Sep-2006 |
yamt | file secmodel_bsd44_logic.c was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.2.6.2 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.2.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.2.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.2.2.1 | 08-Sep-2006 |
yamt | file secmodel_bsd44_logic.c was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.3.26.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.3.24.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.3.20.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.3.18.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.4.32.1 | 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
| 1.4.18.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.4.18.1 | 04-May-2009 |
yamt | sync with head.
|
| 1.31 | 21-Nov-2007 |
elad | Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.30 | 09-Jul-2007 |
ad | branches: 1.30.6; 1.30.8; 1.30.12; 1.30.14;
Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
|
| 1.29 | 10-Jan-2007 |
elad | branches: 1.29.6; 1.29.8;
Make 'securelevel' internal to the secmodel.
|
| 1.28 | 09-Jan-2007 |
elad | Remove advertising clause from all of my stuff.
|
| 1.27 | 02-Jan-2007 |
elad | Add 'stop' routines to do the exact opposite of the 'start' routines for
'securelevel' and 'suser' parts of secmodel_bsd44.
|
| 1.26 | 02-Jan-2007 |
elad | Don't leak listeners.
|
| 1.25 | 02-Jan-2007 |
elad | Consistent naming in sysctl(9) setup routines.
|
| 1.24 | 02-Jan-2007 |
elad | Make the securelevel contained by not exposing the variable that keeps
it outside secmodel_bsd44_securelevel.c.
|
| 1.23 | 02-Jan-2007 |
elad | Add KAUTH_SYSTEM_CHSYSFLAGS so we can get rid of the last three
securelevel references (ufs, ext2fs, tmpfs).
Intentionally undocumented.
|
| 1.22 | 02-Jan-2007 |
elad | Make mount(2) and unmount(2) use kauth(9) for security policy.
Okay yamt@.
|
| 1.21 | 31-Dec-2006 |
elad | Remove XXX comment about making 'securelevel' a static.
|
| 1.20 | 26-Dec-2006 |
elad | branches: 1.20.2;
Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
|
| 1.19 | 02-Dec-2006 |
elad | Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.
Discussed on tech-security@ and tech-kern@. Okay tls@.
|
| 1.18 | 28-Nov-2006 |
elad | branches: 1.18.2;
Move ktrace, ptrace, systrace, and procfs to use kauth(9).
First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.
Add secmodel back-end to handle each subsystem.
|
| 1.17 | 26-Nov-2006 |
elad | Add an XXX comment so we don't forget what we need to do here:
* XXX: This is bogus. We should be failing the request
* XXX: not only if this specific slice is mounted, but
* XXX: if it's on a disk with any other mounted slice.
|
| 1.16 | 22-Nov-2006 |
elad | Prevent iopl/ioperm in securelevel 1, not 2.
|
| 1.15 | 22-Nov-2006 |
elad | Introduce KAUTH_REQ_MACHDEP_{ALPHA,X86}_UNMANAGEDMEM to handle access
to unmanaged memory.
These are the last two securelevel references in the MD code.
|
| 1.14 | 16-Nov-2006 |
christos | branches: 1.14.2;
__unused removal on arguments; approved by core.
|
| 1.13 | 07-Nov-2006 |
elad | Better VCHR handling.
|
| 1.12 | 06-Nov-2006 |
elad | simplify & fix logic in device/rawio/spec.
|
| 1.11 | 04-Nov-2006 |
elad | Use KASSERT() as requested by yamt@.
|
| 1.10 | 04-Nov-2006 |
elad | Change KAUTH_SYSTEM_RAWIO to KAUTH_DEVICE_RAWIO_SPEC (moving the raw i/o
requests to the device scope) and add KAUTH_DEVICE_RAWIO_PASSTHRU.
Expose iskmemdev() through sys/conf.h.
okay yamt@
|
| 1.9 | 12-Oct-2006 |
christos | - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
|
| 1.8 | 12-Oct-2006 |
elad | For raw disk requests, in case we don't have a vnode/device, use a
generic policy: always allow reading, allow writing in securelevel < 1
only.
|
| 1.7 | 22-Sep-2006 |
elad | Add missing break.
|
| 1.6 | 22-Sep-2006 |
elad | Make code more readable by removing some more casts forgotten in
previous commit.
|
| 1.5 | 19-Sep-2006 |
elad | Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.
While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).
Update documentation.
|
| 1.4 | 19-Sep-2006 |
elad | For the VBLK case, we always check vfs_mountedon() and it has nothing
to do with the security model used. Move back the call to spec_open(),
which can now return the real return value from vfs_mountedon() (EBUSY)
and not EPERM, changing semantics.
|
| 1.3 | 13-Sep-2006 |
dyoung | branches: 1.3.2; 1.3.4;
In secmodel_bsd44_securelevel_system_cb(), compare dev_t dev with
NODEV, not 0, since 0 is a legit value for a dev_t. Now I can
'mount /dev/wd0a /mnt' again.
|
| 1.2 | 08-Sep-2006 |
elad | Add __KERNEL_RCSID(), requested by and okay xtraeme@.
|
| 1.1 | 08-Sep-2006 |
elad | First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.3.4.2 | 10-Dec-2006 |
yamt | sync with head.
|
| 1.3.4.1 | 22-Oct-2006 |
yamt | sync with head
|
| 1.3.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.3.2.1 | 13-Sep-2006 |
yamt | file secmodel_bsd44_securelevel.c was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.14.2.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.14.2.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.14.2.1 | 16-Nov-2006 |
ad | file secmodel_bsd44_securelevel.c was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.18.2.3 | 06-Jan-2007 |
bouyer | Pull up following revision(s) (requested by elad in ticket #325):
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.25
Consistent naming in sysctl(9) setup routines.
|
| 1.18.2.2 | 06-Jan-2007 |
bouyer | Pull up following revision(s) (requested by elad in ticket #316):
share/examples/secmodel/secmodel_example.c: revision 1.10 via patch
sys/arch/i386/i386/sys_machdep.c: revision 1.79
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.31
share/man/man9/secmodel_bsd44.9: revision 1.9
sys/arch/vax/vax/mem.c: revision 1.34 via patch
sys/arch/sh3/sh3/mem.c: revision 1.23 via patch
sys/arch/sh5/sh5/mem.c: revision 1.14 via patch
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.22 via patch
sys/arch/powerpc/powerpc/mem.c: revision 1.27 via patch
sys/arch/x86/x86/x86_machdep.c: revision 1.5
sys/arch/alpha/alpha/machdep.c: revision 1.291
sys/arch/arm/arm32/mem.c: revision 1.17 via patch
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.20
sys/sys/kauth.h: revision 1.29 via patch
sys/arch/amd64/amd64/sys_machdep.c: revision 1.10
share/man/man9/kauth.9: revision 1.43 via patch
sys/arch/xen/i386/sys_machdep.c: revision 1.10
sys/kern/kern_auth.c: revision 1.35
sys/arch/pc532/pc532/mem.c: revision 1.43 via patch
Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
|
| 1.18.2.1 | 04-Dec-2006 |
tron | Pull up following revision(s) (requested by elad in ticket #247):
sys/dev/ic/dpt.c: revision 1.55
sys/dev/pci/amr.c: revision 1.43
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.19
sys/dev/pci/mly.c: revision 1.33
share/man/man9/kauth.9: revision 1.37
sys/dev/ic/mlx.c: revision 1.49
sys/dev/ic/icp_ioctl.c: revision 1.14
sys/dev/i2o/iop.c: revision 1.62
sys/dev/pci/twe.c: revision 1.82
sys/sys/kauth.h: revision 1.25
sys/dev/i2o/dpti.c: revision 1.31
sys/kern/kern_auth.c: revision 1.33
sys/dev/tc/stic.c: revision 1.37
Change kauth(9) KPI for kauth_authorize_device_passthru() to add another
argument, u_long, serving as a bit-mask of generic requests for the
passthru request.
Discussed on tech-security@ and tech-kern@. Okay tls@.
|
| 1.20.2.5 | 07-Dec-2007 |
yamt | sync with head
|
| 1.20.2.4 | 03-Sep-2007 |
yamt | sync with head.
|
| 1.20.2.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.20.2.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.20.2.1 | 26-Dec-2006 |
yamt | file secmodel_bsd44_securelevel.c was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.29.8.1 | 11-Jul-2007 |
mjf | Sync with head.
|
| 1.29.6.1 | 13-Apr-2007 |
ad | - Make the devsw interface MP safe, and add some comments.
- Allow individual block/character drivers to be marked MP safe.
- Provide wrappers around the device methods that look up the
device, returning ENXIO if it's not found, and acquire the
kernel lock if needed.
|
| 1.30.14.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.30.12.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.30.8.1 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.30.6.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.72 | 02-Oct-2009 |
elad | First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.71 | 03-Sep-2009 |
elad | Implement the vnode scope and adapt tmpfs to use it.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
|
| 1.70 | 10-Aug-2009 |
plunky | reduce the number of KAUTH_DEVICE_BLUETOOTH_SEND/RECV requests
by passing the packet type as an argument rather than having
a different request for each type.
(from a suggestion by mrg)
|
| 1.69 | 10-Aug-2009 |
plunky | remove last usage of KAUTH_ISSUSER in bluetooth code by adding
some requests to the device scope:
KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND
KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND
KAUTH_DEVICE_BLUETOOTH_RECV_EVENT
KAUTH_DEVICE_BLUETOOTH_RECV_DATA
and a listener tied to the HCI protocol that will approve the basic
minimum to be sent and received.
handle the requests in the bsd44_suser listener by approving all
when the credential is root.
|
| 1.68 | 25-Jul-2009 |
mbalmer | Extend the existing security models for upcoming gpio(4) changes.
Reviewed and feedback by Elad Efrat.
|
| 1.67 | 08-May-2009 |
elad | Add and use a network scope action/request for tun(4), similar to ppp(4),
sl(4), and strip(4).
|
| 1.66 | 07-May-2009 |
elad | Introduce several actions/requests for authorizing file-system related
operations, specifically quota and block allocation from reserved space.
Modify ufs_quotactl() to accomodate passing "mp" earlier by vfs_busy()ing
it a little bit higher.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/04/26/msg004936.html
Note that the umapfs request mentioned in this thread was NOT added as
there is still on-going discussion regarding the proper implementation.
|
| 1.65 | 07-May-2009 |
elad | Introduce actions/requests to handle authorization for ppp(4), sl(4),
strip(4), btuart(4) and bcsp(4) network interfaces and devices.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004955.html
|
| 1.64 | 05-May-2009 |
elad | Add device scope actions for rnd(4) and use them.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004953.html
|
| 1.63 | 03-May-2009 |
elad | Add a bluetooth action to the device scope and use it in netbt as a
replacement for KAUTH_GENERIC_ISSUSER.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/04/25/msg004905.html
Bluetooth-specific authorization wrapper might come later.
|
| 1.62 | 15-Apr-2009 |
elad | Remove a few KAUTH_GENERIC_ISSUSER in favor of more descriptive
alternatives.
Discussed on tech-kern:
http://mail-index.netbsd.org/tech-kern/2009/04/11/msg004798.html
Input from ad@, christos@, dyoung@, tsutsui@.
Okay ad@.
|
| 1.61 | 12-Nov-2008 |
ad | branches: 1.61.4;
Correct check for autoloaded modules.
|
| 1.60 | 12-Nov-2008 |
ad | Remove LKMs and switch to the module framework, pass 1.
Proposed on tech-kern@.
|
| 1.59 | 22-Oct-2008 |
ad | branches: 1.59.2; 1.59.4;
- Be clear about whether module load is explicit or system initiated (auto).
- Require that module_lock is held to autoload, so that any preconditions
can be safely checked.
|
| 1.58 | 11-Oct-2008 |
pooka | Move uidinfo to its own module in kern_uidinfo.c and include in rump.
No functional change to uidinfo.
|
| 1.57 | 09-Mar-2008 |
rmind | branches: 1.57.4; 1.57.10;
Remove include of sys/pset.h in sys/lwp.h header.
Include it in few appropriate sources.
|
| 1.56 | 02-Mar-2008 |
elad | Forgot this file in the previous commit.
Backend for the newly added KAUTH_NETWORK_NFS action.
Spotted by Paul Goyette on current-users@, thanks!
|
| 1.55 | 28-Feb-2008 |
elad | Factor out the guts of get/setparam so it can be used from the compat code.
Make the FreeBSD and Linux compat code convert the parameters to their
native representation and call the native routines.
Remove KAUTH_PROCESS_SCHEDULER_GET/SET.
Update documentation and examples.
XXX: For now, only the Linux compat code does the priority conversion
XXX: right.
Linux priority conversion code from yamt@, thanks!
Okay yamt@.
|
| 1.54 | 27-Feb-2008 |
elad | Default defer, not deny.
Idea okay wrstuden@, no objections on tech-kern@ and tech-security@.
|
| 1.53 | 17-Feb-2008 |
elad | branches: 1.53.2; 1.53.6;
PR/37986: YAMAMOTO Takashi: any user can hog the all cpu with
_sched_setparam.
Pass proper context to kauth(9) for a decision to made based on the
scheduling policy and priority.
|
| 1.52 | 16-Feb-2008 |
elad | Fold KAUTH_REQ_PROCESS_SCHEDULER_* to KAUTH_PROCESS_SCHEDULER_*. In other
words, don't pass an action and a request, and just use a single action to
indicate what is the operation in question.
This is the first step in fixing PR/37986, which calls for policy/priority
checking in the secmodel code. Right now we're lacking room for another
parameter required to make a decision, and this change makes room for such.
|
| 1.51 | 12-Feb-2008 |
elad | Default deny and explicit allow policy in all listeners.
No objections on tech-security@ and tech-kern@.
|
| 1.50 | 02-Feb-2008 |
elad | Add, document, and use KAUTH_REQ_PROCESS_KTRACE_PERSISTENT.
|
| 1.49 | 02-Feb-2008 |
elad | KTRFAC_ROOT -> KTRFAC_PERSISTENT, and update comments.
Discussed with christos@ and yamt@.
|
| 1.48 | 01-Feb-2008 |
elad | Replace a KAUTH_GENERIC_ISSUSER in the cpuctl code with a proper kauth
request.
Reviewed by ad@, tested by me.
|
| 1.47 | 30-Jan-2008 |
elad | Use proper kauth(9) actions/requests for native scheduler stuff and the
recently introduced processor-sets.
Discussed with and okay rmind@, yamt@, and christos@.
|
| 1.46 | 23-Jan-2008 |
elad | Tons of process scope changes.
- Add a KAUTH_PROCESS_SCHEDULER action, to handle scheduler related
requests, and add specific requests for set/get scheduler policy and
set/get scheduler parameters.
- Add a KAUTH_PROCESS_KEVENT_FILTER action, to handle kevent(2) related
requests.
- Add a KAUTH_DEVICE_TTY_STI action to handle requests to TIOCSTI.
- Add requests for the KAUTH_PROCESS_CANSEE action, indicating what
process information is being looked at (entry itself, args, env,
open files).
- Add requests for the KAUTH_PROCESS_RLIMIT action indicating set/get.
- Add requests for the KAUTH_PROCESS_CORENAME action indicating set/get.
- Make bsd44 secmodel code handle the newly added rqeuests appropriately.
All of the above make it possible to issue finer-grained kauth(9) calls in
many places, removing some KAUTH_GENERIC_ISSUSER requests.
- Remove the "CAN" from KAUTH_PROCESS_CAN{KTRACE,PROCFS,PTRACE,SIGNAL}.
Discussed with christos@ and yamt@.
|
| 1.45 | 16-Jan-2008 |
ad | Pull in my modules code for review/test/hacking.
|
| 1.44 | 07-Jan-2008 |
elad | Make fork use kauth.
Been running in my tree for over a month at least.
Reviewed and okay yamt@, and special thanks to him as well as rittera@
for making this possible through fixing NDIS to not call fork1() with
l1 != curlwp.
|
| 1.43 | 31-Dec-2007 |
ad | Remove systrace. Ok core@.
|
| 1.42 | 01-Dec-2007 |
elad | branches: 1.42.6;
Add PT_TRACE_ME to switch statement.
This caused trouble with ptrace, and noted just now thanks to a strict
policy design. Noted (and fix verified by) mjf@, thanks.
|
| 1.41 | 25-Nov-2007 |
elad | Deprecate KAUTH_REQ_SYSTEM_TIME_BACKWARDS, as it was merged into
KAUTH_REQ_SYSTEM_TIME_SYSTEM.
|
| 1.40 | 25-Nov-2007 |
elad | Refactor time modification checks and place them in the secmodel code.
okay christos@
|
| 1.39 | 24-Nov-2007 |
elad | Fix a long time issue where the securelevel secmodel would explicitly
allow certain operations.
The suser module of the bsd44 secmodel code was made aware of the missing
operations that were explicitly allowed in the securelevel module, and
the logic in the latter was modified to a default defer, deny where not
allowed.
This concept, which is the correct way to write secmodel code, was first
brought up by pavel@ a long time ago.
okay christos@.
|
| 1.38 | 23-Nov-2007 |
elad | Kill another instance of KAUTH_GENERIC_ISSUSER.
|
| 1.37 | 21-Feb-2007 |
thorpej | branches: 1.37.16; 1.37.18; 1.37.24;
Replace the Mach-derived boolean_t type with the C99 bool type. A
future commit will replace use of TRUE and FALSE with true and false.
|
| 1.36 | 17-Feb-2007 |
pavel | Change the process/lwp flags seen by userland via sysctl back to the
P_*/L_* naming convention, and rename the in-kernel flags to avoid
conflict. (P_ -> PK_, L_ -> LW_ ). Add back the (now unused) LSDEAD
constant.
Restores source compatibility with pre-newlock2 tools like ps or top.
Reviewed by Andrew Doran.
|
| 1.35 | 09-Feb-2007 |
ad | branches: 1.35.2;
Merge newlock2 to head.
|
| 1.34 | 01-Feb-2007 |
plunky | Add another hardwired exception to the SOCK_RAW / superuser rule, because
(PF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) sockets need to be accessable for
normal users.
|
| 1.33 | 20-Jan-2007 |
elad | Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.
|
| 1.32 | 15-Jan-2007 |
elad | Avoid proc_uidmatch() for rlimits if p is curproc.
|
| 1.31 | 09-Jan-2007 |
elad | Make readable.
|
| 1.30 | 09-Jan-2007 |
elad | Remove advertising clause from all of my stuff.
|
| 1.29 | 05-Jan-2007 |
elad | Fallthrough.
|
| 1.28 | 02-Jan-2007 |
elad | Add 'stop' routines to do the exact opposite of the 'start' routines for
'securelevel' and 'suser' parts of secmodel_bsd44.
|
| 1.27 | 02-Jan-2007 |
elad | Don't leak listeners.
|
| 1.26 | 02-Jan-2007 |
elad | Add missing break...
|
| 1.25 | 02-Jan-2007 |
elad | Need vnode.h here.
|
| 1.24 | 02-Jan-2007 |
elad | Make mount(2) and unmount(2) use kauth(9) for security policy.
Okay yamt@.
|
| 1.23 | 27-Dec-2006 |
elad | branches: 1.23.2;
Refactor a bit the ptrace(2) code: first make the keep-kernel-stable
decisions, then have a kauth(9) call for security policy enforcement,
and only then proceed to processing each request.
Add a KAUTH_PROCESS_CANSEE call right after pfind(). This should really
be done differently, so mark it with XXX.
|
| 1.22 | 26-Dec-2006 |
elad | Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
|
| 1.21 | 25-Dec-2006 |
elad | PR/35226: Johann Franz: Problems with permissions in
/usr/pkg/emul/linux/proc .
Okay mlelstv@
|
| 1.20 | 22-Dec-2006 |
elad | Add requests indicating access to unmanaged memory for arm, pc532, powerpc,
sh3, sh5, and vax, and use them instead of KAUTH_GENERIC_ISSUSER.
Update documentation and example secmodel code.
|
| 1.19 | 19-Dec-2006 |
elad | Don't allow anyone but the superuser to do 'ctl' on procfs nodes.
|
| 1.18 | 14-Dec-2006 |
elad | - moves 'nice' access semantics to secmodel code,
- makes sysctl_proc_find() just lookup the process,
- use KAUTH_PROCESS_CANSEE requests to determine if the caller is
allowed to view the target process' corename, stop flags, and
rlimits,
- use explicit kauth(9) calls with KAUTH_PROCESS_CORENAME,
KAUTH_REQ_PROCESS_RESOURCE_NICE, KAUTH_REQ_PROCESS_RESOURCE_RLIMIT,
and KAUTH_PROCESS_STOPFLAG when modifying the aforementioned.
- sync man-page and example skeleton secmodel with reality.
okay yamt@
this is a pullup candidate.
|
| 1.17 | 28-Nov-2006 |
elad | branches: 1.17.2;
Move ktrace, ptrace, systrace, and procfs to use kauth(9).
First, remove process_checkioperm() calls from MD code. Similar checks
using kauth(9) routines (on the process scope, using appropriate action)
are done in the callers.
Add secmodel back-end to handle each subsystem.
|
| 1.16 | 16-Nov-2006 |
christos | branches: 1.16.2;
__unused removal on arguments; approved by core.
|
| 1.15 | 14-Nov-2006 |
dyoung | Fix a regression in socket(2): in the BSD 4.4 security model, you
don't have to be the superuser to open a PF_ROUTE socket.
Now, 'route -n get default' works again.
|
| 1.14 | 30-Oct-2006 |
elad | Use integers, not pointers to integers, for KAUTH_REQ_NETWORK_SOCKET_OPEN.
Reminded by yamt@, thanks!
|
| 1.13 | 25-Oct-2006 |
elad | Introduce KAUTH_REQ_NETWORK_SOCKET_OPEN, to check if opening a socket is
allowed. It takes three int * arguments indicating domain, type, and
protocol. Replace previous KAUTH_REQ_NETWORK_SOCKET_RAWSOCK with it (but
keep it still).
Places that used to explicitly check for privileged context now don't
need it anymore, so I replaced these with XXX comment indiacting it for
future reference.
Documented and updated examples as well.
|
| 1.12 | 24-Oct-2006 |
elad | oops, fix license. (hah!)
|
| 1.11 | 20-Oct-2006 |
elad | Introduce a new action on the network scope, KAUTH_NETWORK_INTERFACE,
used to manage network interfaces.
Add four sub-actions to fulfill generic needs for now, until a more
carefully defined usage of the interface is documented: get, set,
getpriv, and setpriv.
|
| 1.10 | 20-Oct-2006 |
elad | Add a new ALTQ kauth(9) request, KAUTH_REQ_NETWORK_ALTQ_JOBS.
|
| 1.9 | 13-Oct-2006 |
elad | Introduce KAUTH_REQ_NETWORK_SOCKET_CANSEE. Since we're not gonna be having
credentials on sockets, at least not anytime soon, this is a way to check
if we can "look" at a socket. Later on when (and if) we do have socket
credentials, the interface usage remains the same because we pass the
socket.
This also fixes sysctl for inet/inet6 pcblist.
|
| 1.8 | 12-Oct-2006 |
christos | - sprinkle __unused on function decls.
- fix a couple of unused bugs
- no more -Wno-unused for i386
|
| 1.7 | 30-Sep-2006 |
elad | Implement the "device" scope.
It uses an authorization wrapper per device class on the system to
ensure type-safety.
For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.
Update documentation.
|
| 1.6 | 27-Sep-2006 |
elad | Don't care for super-user in packet filter rules, it's done via a device
anyway. Same as the clock-related change few days ago.
Should address PR/34635 from victori at lamer0 dot com
|
| 1.5 | 24-Sep-2006 |
elad | Super-user access only matters for part of the KAUTH_SYSTEM_TIME requests,
so defer the ones we don't care about.
Thanks to Jukka Salmi for the ktrace output!
|
| 1.4 | 22-Sep-2006 |
elad | Make code more readable by removing some more casts forgotten in
previous commit.
|
| 1.3 | 19-Sep-2006 |
elad | Remove ugly (void *) casts from network scope authorization wrapper and
calls to it.
While here, adapt code for system scope listeners to avoid some more
casts (forgotten in previous run).
Update documentation.
|
| 1.2 | 08-Sep-2006 |
elad | branches: 1.2.2; 1.2.4;
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
|
| 1.1 | 08-Sep-2006 |
elad | First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.2.4.4 | 21-Dec-2006 |
yamt | sync with head.
|
| 1.2.4.3 | 18-Dec-2006 |
yamt | sync with head.
|
| 1.2.4.2 | 10-Dec-2006 |
yamt | sync with head.
|
| 1.2.4.1 | 22-Oct-2006 |
yamt | sync with head
|
| 1.2.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.2.2.1 | 08-Sep-2006 |
yamt | file secmodel_bsd44_suser.c was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.16.2.5 | 09-Feb-2007 |
ad | Sync with HEAD.
|
| 1.16.2.4 | 01-Feb-2007 |
ad | Sync with head.
|
| 1.16.2.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.16.2.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.16.2.1 | 16-Nov-2006 |
ad | file secmodel_bsd44_suser.c was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.17.2.4 | 09-Feb-2007 |
tron | Pull up following revision(s) (requested by plunky in ticket #406):
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.34
Add another hardwired exception to the SOCK_RAW / superuser rule, because
(PF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) sockets need to be accessable for
normal users.
|
| 1.17.2.3 | 21-Jan-2007 |
bouyer | Pull up following revision(s) (requested by elad in ticket #379):
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.33 via patch
share/examples/secmodel/secmodel_example.c: revision 1.14 via patch
sys/sys/kauth.h: revision 1.35 via patch
sys/kern/kern_resource.c: revision 1.112 via patch
share/man/man9/kauth.9: revision 1.48 via patch
Kill KAUTH_PROCESS_RESOURCE and just replace it with two actions for
nice and rlimit.
|
| 1.17.2.2 | 06-Jan-2007 |
bouyer | Pull up following revision(s) (requested by elad in ticket #316):
share/examples/secmodel/secmodel_example.c: revision 1.10 via patch
sys/arch/i386/i386/sys_machdep.c: revision 1.79
sys/arch/amd64/amd64/netbsd32_machdep.c: revision 1.31
share/man/man9/secmodel_bsd44.9: revision 1.9
sys/arch/vax/vax/mem.c: revision 1.34 via patch
sys/arch/sh3/sh3/mem.c: revision 1.23 via patch
sys/arch/sh5/sh5/mem.c: revision 1.14 via patch
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.22 via patch
sys/arch/powerpc/powerpc/mem.c: revision 1.27 via patch
sys/arch/x86/x86/x86_machdep.c: revision 1.5
sys/arch/alpha/alpha/machdep.c: revision 1.291
sys/arch/arm/arm32/mem.c: revision 1.17 via patch
sys/secmodel/bsd44/secmodel_bsd44_securelevel.c: revision 1.20
sys/sys/kauth.h: revision 1.29 via patch
sys/arch/amd64/amd64/sys_machdep.c: revision 1.10
share/man/man9/kauth.9: revision 1.43 via patch
sys/arch/xen/i386/sys_machdep.c: revision 1.10
sys/kern/kern_auth.c: revision 1.35
sys/arch/pc532/pc532/mem.c: revision 1.43 via patch
Make machdep scope architecture-agnostic by removing all arch-specific
requests and centralizing them all. The result is that some of these
are not used on some architectures, but the documentation was updated
to reflect that.
|
| 1.17.2.1 | 03-Jan-2007 |
tron | Pull up following revision(s) (requested by elad in ticket #308):
sys/secmodel/bsd44/secmodel_bsd44_suser.c: revision 1.21 via patch
sys/miscfs/procfs/procfs_vnops.c: revision 1.144
PR/35226: Johann Franz: Problems with permissions in
/usr/pkg/emul/linux/proc .
Okay mlelstv@
|
| 1.23.2.8 | 17-Mar-2008 |
yamt | sync with head.
|
| 1.23.2.7 | 27-Feb-2008 |
yamt | sync with head.
|
| 1.23.2.6 | 04-Feb-2008 |
yamt | sync with head.
|
| 1.23.2.5 | 21-Jan-2008 |
yamt | sync with head
|
| 1.23.2.4 | 07-Dec-2007 |
yamt | sync with head
|
| 1.23.2.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.23.2.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.23.2.1 | 27-Dec-2006 |
yamt | file secmodel_bsd44_suser.c was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.35.2.1 | 27-Feb-2007 |
yamt | - sync with head.
- move sched_changepri back to kern_synch.c as it doesn't know PPQ anymore.
|
| 1.37.24.2 | 18-Feb-2008 |
mjf | Sync with HEAD.
|
| 1.37.24.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.37.18.2 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.37.18.1 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.37.16.2 | 03-Dec-2007 |
joerg | Sync with HEAD.
|
| 1.37.16.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.42.6.4 | 23-Jan-2008 |
bouyer | Sync with HEAD.
|
| 1.42.6.3 | 19-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.42.6.2 | 08-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.42.6.1 | 02-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.53.6.2 | 17-Jan-2009 |
mjf | Sync with HEAD.
|
| 1.53.6.1 | 03-Apr-2008 |
mjf | Sync with HEAD.
|
| 1.53.2.1 | 24-Mar-2008 |
keiichi | sync with head.
|
| 1.57.10.2 | 13-Dec-2008 |
haad | Update haad-dm branch to haad-dm-base2.
|
| 1.57.10.1 | 19-Oct-2008 |
haad | Sync with HEAD.
|
| 1.57.4.5 | 11-Mar-2010 |
yamt | sync with head
|
| 1.57.4.4 | 16-Sep-2009 |
yamt | sync with head
|
| 1.57.4.3 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.57.4.2 | 16-May-2009 |
yamt | sync with head
|
| 1.57.4.1 | 04-May-2009 |
yamt | sync with head.
|
| 1.59.4.1 | 04-Feb-2012 |
bouyer | Apply patch, requested by jmcneill in ticket #1668:
sys/arch/amd64/amd64/syscall.c patch
sys/arch/i386/i386/syscall.c patch
sys/arch/i386/i386/trap.c patch
sys/kern/kern_sig.c patch
sys/kern/kern_sleepq.c patch
sys/kern/kern_subr.c patch
sys/kern/sys_process.c patch
sys/secmodel/bsd44/secmodel_bsd44_suser.c patch
sys/sys/proc.h patch
sys/sys/ptrace.h patch
arch/i386/i386/machdep.c, arch/amd64/amd64/machdep.c (from
arch/x86/x86/machdep.c) by christos:
Remove code that was used to avoid register spills. setcontext(2) can change
the registers, so re-fetching will produce the wrong result for trace_exit().
arch/i386/i386/trap.c by reinoud:
Fix the illegal instruction return address. It was using the value of the
cpu's %cr2 register but thats not valid:
CR2 Contains a value called Page Fault Linear Address (PFLA). When a page
fault occurs, the address the program attempted to access is stored in the CR2
register.
And this is thus NOT the illegal instruction address!
kern/kern_sig.c by christos:
PR kern/45327: Jared McNeill: ptrace: siginfo doesn't work with traced processes
When saving the signal in p->p_xstat, clear it from the pending mask, but
don't remove it from the siginfo queue, so that next time the debugger
delivers it, the original information is found.
When posting a signal from the debugger l->l_sigpendset is not set, so we
use the process pending signal and add it back to the process pending set.
Split sigget into sigget() and siggetinfo(). When a signal comes from the
debugger (l->l_sigpendset == NULL), using siggetinfo() try to fetch the
siginfo information from l->l_sigpend and then from p->p_sigpend if it
was not found. This allows us to pass siginfo information for traps from
the debugger.
don't delete signal from the debugger.
kern/kern_sleepq.c by christos:
PR kern/40594: Antti Kantee: Don't call issignal() here to determine what errno
to set for the interrupted syscall, because issignal() will consume the signal
and it will not be delivered to the process afterwards. Instead call
sigispending() (which now returns the first pending signal) and does not
consume the signal.
We need to process SA_STOP signals immediately, and not deliver them to
the process. Instead of re-structuring the code to do that, call issignal()
like before in that case. (tail -F /file^Zfg should not get interrupted).
kern/kern_subr.c by jmcneill, christos:
PR kern/45312: ptrace: PT_SETREGS can't alter system calls
Add a new PT_SYSCALLEMU request that cancels the current syscall, for
use with PT_SYSCALL.
For PT_SYSCALLEMU, no need to stop again on syscall exit.
ifdef unused variable with -UPTRACE
kern/sys_process.c, sys/proc.h, sys/ptrace.h, secmodel/bsd44/secmodel_bsd44_suser.c by jmcneill, christos:
PR kern/43681: PT_SYSCALL appears to be broken
sys_ptrace: For PT_CONTINUE/PT_SYSCALL/PT_DETACH, modify the p_trace_enabled
flag of the target process, not the calling process.
Process the signal now, otherwise calling issignal() and ignoring
the return will lose the signal if it came from the debugger
(issignal() clears p->p_xstat)
PR kern/45312: ptrace: PT_SETREGS can't alter system calls
Add a new PT_SYSCALLEMU request that cancels the current syscall, for
use with PT_SYSCALL.
PR kern/45330: ptrace: signals can alter syscall return values
process_stoptrace: defer signal processing to userret, ok christos@
|
| 1.59.2.2 | 28-Apr-2009 |
skrll | Sync with HEAD.
|
| 1.59.2.1 | 19-Jan-2009 |
skrll | Sync with HEAD.
|
| 1.61.4.1 | 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
| 1.6 | 21-Nov-2007 |
elad | Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.5 | 09-Jan-2007 |
elad | branches: 1.5.18; 1.5.20; 1.5.24; 1.5.26;
Remove advertising clause from all of my stuff.
|
| 1.4 | 02-Jan-2007 |
elad | Add 'stop' routines to do the exact opposite of the 'start' routines for
'securelevel' and 'suser' parts of secmodel_bsd44.
|
| 1.3 | 02-Jan-2007 |
elad | Add prototypes for the sysctl(9) setup routines for LKMs only.
|
| 1.2 | 04-Nov-2006 |
elad | branches: 1.2.2; 1.2.6;
Oops, forgot to do this one in previous commit.
Pointed out by mjf@, thanks!
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.4;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.4.1 | 10-Dec-2006 |
yamt | sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file securelevel.h was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.6.4 | 07-Dec-2007 |
yamt | sync with head
|
| 1.2.6.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.2.6.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.2.6.1 | 04-Nov-2006 |
yamt | file securelevel.h was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.2.2.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.2.2.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.2.2.1 | 04-Nov-2006 |
ad | file securelevel.h was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.5.26.1 | 08-Dec-2007 |
mjf | Sync with HEAD.
|
| 1.5.24.1 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.5.20.1 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.5.18.1 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.7 | 02-Oct-2009 |
elad | First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.6 | 03-Sep-2009 |
elad | Implement the vnode scope and adapt tmpfs to use it.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
|
| 1.5 | 03-May-2009 |
elad | Move dovfsusermount to secmodel_bsd44, where it really belongs.
The secmodel code now creates the same knob in two places: both under the
secmodel itself, as well as the widely known location.
Mailing list references:
http://mail-index.netbsd.org/source-changes/2009/05/02/msg220641.html
http://mail-index.netbsd.org/tech-kern/2009/05/03/msg005015.html
|
| 1.4 | 09-Jan-2007 |
elad | branches: 1.4.44; 1.4.60;
Remove advertising clause from all of my stuff.
|
| 1.3 | 02-Jan-2007 |
elad | Add 'stop' routines to do the exact opposite of the 'start' routines for
'securelevel' and 'suser' parts of secmodel_bsd44.
|
| 1.2 | 30-Sep-2006 |
elad | branches: 1.2.2; 1.2.6;
Implement the "device" scope.
It uses an authorization wrapper per device class on the system to
ensure type-safety.
For now, it supports only terminal (TTY) devices, and has two actions
for them: "open terminal" and "privileged set". Sample usage has been
added to i386 and hp300 code for reference.
Update documentation.
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.4;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.4.1 | 22-Oct-2006 |
yamt | sync with head
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file suser.h was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.6.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.2.6.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.2.6.1 | 30-Sep-2006 |
yamt | file suser.h was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.2.2.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.2.2.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.2.2.1 | 30-Sep-2006 |
ad | file suser.h was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.4.60.1 | 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
| 1.4.44.3 | 11-Mar-2010 |
yamt | sync with head
|
| 1.4.44.2 | 16-Sep-2009 |
yamt | sync with head
|
| 1.4.44.1 | 04-May-2009 |
yamt | sync with head.
|
| 1.1 | 04-Dec-2011 |
jym | branches: 1.1.4; 1.1.6;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.1.6.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.6.1 | 04-Dec-2011 |
yamt | file extensions.h was added on branch yamt-pagecache on 2012-04-17 00:08:50 +0000
|
| 1.1.4.2 | 18-Feb-2012 |
mrg | merge from -current (not sure why these were missed).
|
| 1.1.4.1 | 04-Dec-2011 |
mrg | file extensions.h was added on branch jmcneill-usbmp on 2012-02-18 07:58:23 +0000
|
| 1.1 | 22-Apr-2023 |
riastradh | secmodel_extensions: Split vfs part into separate .c file.
This way we can provide weak rumpkern stubs that don't require
rumpvfs for things that are relevant to vfs, but if you do link
rumpvfs then you get the same logic in secmodel extensions.
|
| 1.2 | 22-Apr-2023 |
riastradh | secmodel_extensions: Split vfs part into separate .c file.
This way we can provide weak rumpkern stubs that don't require
rumpvfs for things that are relevant to vfs, but if you do link
rumpvfs then you get the same logic in secmodel extensions.
|
| 1.1 | 04-Dec-2011 |
jym | branches: 1.1.4; 1.1.6;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.1.6.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.6.1 | 04-Dec-2011 |
yamt | file files.extensions was added on branch yamt-pagecache on 2012-04-17 00:08:50 +0000
|
| 1.1.4.2 | 18-Feb-2012 |
mrg | merge from -current (not sure why these were missed).
|
| 1.1.4.1 | 04-Dec-2011 |
mrg | file files.extensions was added on branch jmcneill-usbmp on 2012-02-18 07:58:23 +0000
|
| 1.16 | 22-Apr-2023 |
riastradh | secmodel_extensions: Split vfs part into separate .c file.
This way we can provide weak rumpkern stubs that don't require
rumpvfs for things that are relevant to vfs, but if you do link
rumpvfs then you get the same logic in secmodel extensions.
|
| 1.15 | 29-Mar-2022 |
christos | isroot should be bool...
|
| 1.14 | 28-Mar-2022 |
rillig | secmodel: fix grammar in description of hardlink_check_gid
|
| 1.13 | 27-Mar-2022 |
christos | Implement restrictions for adding hard links to files
|
| 1.12 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.11 | 21-Feb-2020 |
joerg | Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
|
| 1.10 | 04-Sep-2018 |
maxv | branches: 1.10.6;
Introduce KAUTH_REQ_PROCESS_CANSEE_KPTR, and use it in the already-existing
modstat code. No real functional change.
|
| 1.9 | 25-Aug-2018 |
maxv | Add KAUTH_REQ_PROCESS_CANSEE_EPROC, and use it for the kern.proc node.
Same permission as before, so no functional change.
|
| 1.8 | 08-Apr-2018 |
kamil | branches: 1.8.2;
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs
Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.
Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.
Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.
Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.
Reviewed by <christos>
Sponsored by <The NetBSD Foundation>
|
| 1.7 | 12-Dec-2015 |
maxv | branches: 1.7.10; 1.7.16;
secmodel_extensions_system_cb() is not mount-specific, even though
KAUTH_SYSTEM_MOUNT happens to be the only option handled here.
Put everything into a swith(action). No functional change.
|
| 1.6 | 25-Feb-2014 |
pooka | branches: 1.6.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.5 | 28-Feb-2013 |
martin | branches: 1.5.6;
Make the callback deal with embryonic connections which do not have
credentials yet. Fixes PR kern/47598.
|
| 1.4 | 28-Jan-2013 |
jym | Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.3 | 13-Mar-2012 |
elad | branches: 1.3.2; 1.3.4;
Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.
Most of these changes were brought up in the following messages:
http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html
Thanks to christos, manu, njoly, and jmmv for input.
Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
|
| 1.2 | 04-Dec-2011 |
jym | branches: 1.2.2; 1.2.4; 1.2.8;
When user_set_cpu_affinity is non-zero, only allow users to modify
the CPU affinity of the LWPs they own.
|
| 1.1 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.2.8.2 | 14-Mar-2013 |
riz | Pull up following revision(s) (requested by martin in ticket #839):
sys/secmodel/extensions/secmodel_extensions.c: revision 1.5
Make the callback deal with embryonic connections which do not have
credentials yet. Fixes PR kern/47598.
|
| 1.2.8.1 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by jym in ticket #802):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.29
sys/secmodel/extensions/secmodel_extensions.c: revision 1.4
Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.2.4.3 | 05-Apr-2012 |
mrg | sync to latest -current.
|
| 1.2.4.2 | 18-Feb-2012 |
mrg | merge from -current (not sure why these were missed).
|
| 1.2.4.1 | 04-Dec-2011 |
mrg | file secmodel_extensions.c was added on branch jmcneill-usbmp on 2012-02-18 07:58:24 +0000
|
| 1.2.2.2 | 14-Mar-2013 |
riz | Pull up following revision(s) (requested by martin in ticket #839):
sys/secmodel/extensions/secmodel_extensions.c: revision 1.5
Make the callback deal with embryonic connections which do not have
credentials yet. Fixes PR kern/47598.
|
| 1.2.2.1 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by jym in ticket #802):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.29
sys/secmodel/extensions/secmodel_extensions.c: revision 1.4
Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.3.4.4 | 03-Dec-2017 |
jdolecek | update from HEAD
|
| 1.3.4.3 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.3.4.2 | 23-Jun-2013 |
tls | resync from head
|
| 1.3.4.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.3.2.3 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.3.2.2 | 17-Apr-2012 |
yamt | sync with head
|
| 1.3.2.1 | 13-Mar-2012 |
yamt | file secmodel_extensions.c was added on branch yamt-pagecache on 2012-04-17 00:08:50 +0000
|
| 1.5.6.1 | 18-May-2014 |
rmind | sync with head
|
| 1.6.6.1 | 27-Dec-2015 |
skrll | Sync with HEAD (as of 26th Dec)
|
| 1.7.16.2 | 06-Sep-2018 |
pgoyette | Sync with HEAD
Resolve a couple of conflicts (result of the uimin/uimax changes)
|
| 1.7.16.1 | 16-Apr-2018 |
pgoyette | Sync with HEAD, resolve some conflicts
|
| 1.7.10.1 | 12-Apr-2018 |
snj | Pull up following revision(s) (requested by kamil in ticket #713):
sys/secmodel/extensions/secmodel_extensions.c: 1.8
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs
Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.
Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.
Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.
Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.
Reviewed by <christos>
Sponsored by <The NetBSD Foundation>
|
| 1.8.2.2 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.8.2.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.10.6.1 | 29-Feb-2020 |
ad | Sync with head.
|
| 1.1 | 22-Apr-2023 |
riastradh | secmodel_extensions: Split vfs part into separate .c file.
This way we can provide weak rumpkern stubs that don't require
rumpvfs for things that are relevant to vfs, but if you do link
rumpvfs then you get the same logic in secmodel extensions.
|
| 1.1 | 14-Aug-2009 |
mbalmer | branches: 1.1.2;
Add support for multi-position electro-mechanical keylocks. An example
driver, gpiolock(4), is provided as an example how to interface real hardware.
A new securemodel, securemodel_keylock, is provided to show how this can
be used to tie keylocks to overall system security. This is experimental
code. The diff has been on tech-kern for several weeks.
Reviewed by many, kauth(9) integration reviewed by Elad Efrat; approved by
tonnerre@ and tron@. Thanks to everyone who provided feedback.
|
| 1.1.2.2 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.1.2.1 | 14-Aug-2009 |
yamt | file files.keylock was added on branch yamt-nfs-mp on 2009-08-19 18:48:31 +0000
|
| 1.2 | 10-Aug-2020 |
rin | Clean up _LKM --> _MODULE leftovers.
Note that _KERNEL is always defined for modules.
|
| 1.1 | 14-Aug-2009 |
mbalmer | branches: 1.1.2;
Add support for multi-position electro-mechanical keylocks. An example
driver, gpiolock(4), is provided as an example how to interface real hardware.
A new securemodel, securemodel_keylock, is provided to show how this can
be used to tie keylocks to overall system security. This is experimental
code. The diff has been on tech-kern for several weeks.
Reviewed by many, kauth(9) integration reviewed by Elad Efrat; approved by
tonnerre@ and tron@. Thanks to everyone who provided feedback.
|
| 1.1.2.2 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.1.2.1 | 14-Aug-2009 |
yamt | file keylock.h was added on branch yamt-nfs-mp on 2009-08-19 18:48:31 +0000
|
| 1.12 | 07-Dec-2021 |
andvar | s/dissallow/disallow/
|
| 1.11 | 05-Dec-2020 |
thorpej | Remove unnecessary inclusion of <sys/timevar.h>.
|
| 1.10 | 21-Feb-2020 |
joerg | branches: 1.10.6;
Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
|
| 1.9 | 15-Jul-2018 |
maxv | branches: 1.9.6;
Retire ipkdb entirely. The option was removed from the config files
yesterday.
ok kamil christos
|
| 1.8 | 25-Feb-2014 |
pooka | branches: 1.8.28; 1.8.30;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.7 | 08-Dec-2011 |
jym | branches: 1.7.6; 1.7.10;
build fix for keylock secmodel(9).
|
| 1.6 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.5 | 19-Oct-2009 |
cegger | branches: 1.5.12; 1.5.16;
buildfix: define integer before use. i386 ALL kernel builds again
|
| 1.4 | 06-Oct-2009 |
elad | Factor out a block of code that appears in three places (Veriexec, keylock,
and securelevel) so that others can use it as well.
|
| 1.3 | 03-Oct-2009 |
elad | Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.
Replace open-coded form with it in secmodel code (securelevel, keylock).
Note: I need to find a way to make secmodel_keylock.c ~<100 lines.
|
| 1.2 | 15-Aug-2009 |
mbalmer | branches: 1.2.2;
Move the keylock.h header from sys/sys to sys/dev where it really belongs.
Add keylock options to the ALL kernel configuration.
|
| 1.1 | 14-Aug-2009 |
mbalmer | Add support for multi-position electro-mechanical keylocks. An example
driver, gpiolock(4), is provided as an example how to interface real hardware.
A new securemodel, securemodel_keylock, is provided to show how this can
be used to tie keylocks to overall system security. This is experimental
code. The diff has been on tech-kern for several weeks.
Reviewed by many, kauth(9) integration reviewed by Elad Efrat; approved by
tonnerre@ and tron@. Thanks to everyone who provided feedback.
|
| 1.2.2.3 | 11-Mar-2010 |
yamt | sync with head
|
| 1.2.2.2 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.2.2.1 | 15-Aug-2009 |
yamt | file secmodel_keylock.c was added on branch yamt-nfs-mp on 2009-08-19 18:48:31 +0000
|
| 1.5.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.5.12.2 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.5.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.7.10.1 | 18-May-2014 |
rmind | sync with head
|
| 1.7.6.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.8.30.2 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.8.30.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.8.28.1 | 28-Jul-2018 |
pgoyette | Sync with HEAD
|
| 1.9.6.1 | 29-Feb-2020 |
ad | Sync with head.
|
| 1.10.6.1 | 14-Dec-2020 |
thorpej | Sync w/ HEAD.
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.10;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.10.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.1.10.1 | 08-Sep-2006 |
yamt | file files.overlay was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file files.overlay was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.5 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.4 | 02-Oct-2009 |
elad | branches: 1.4.12; 1.4.16;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.3 | 09-Jan-2007 |
elad | branches: 1.3.44;
Remove advertising clause from all of my stuff.
|
| 1.2 | 29-Dec-2006 |
elad | branches: 1.2.2;
Support device scope.
|
| 1.1 | 08-Sep-2006 |
elad | branches: 1.1.2; 1.1.6; 1.1.8; 1.1.10;
First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.1.10.1 | 03-Jun-2008 |
skrll | Sync with netbsd-4.
|
| 1.1.8.1 | 24-Mar-2008 |
bouyer | Pull up following revision(s) (requested by elad in ticket #1108):
sys/secmodel/overlay/secmodel_overlay.c: revision 1.4 via patch
sys/secmodel/overlay/overlay.h: revision 1.2
Support device scope.
|
| 1.1.6.2 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.1.6.1 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.1.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.1.2.1 | 08-Sep-2006 |
yamt | file overlay.h was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.2.2.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.2.2.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.2.2.1 | 29-Dec-2006 |
yamt | file overlay.h was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.3.44.1 | 11-Mar-2010 |
yamt | sync with head
|
| 1.4.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.4.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.14 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.13 | 25-Feb-2014 |
pooka | branches: 1.13.30;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.12 | 04-Dec-2011 |
jym | branches: 1.12.6; 1.12.10;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.11 | 28-Nov-2011 |
jym | branches: 1.11.2;
The secmodel(9)s init, start and stop routines are managed by each
secmodel module(7), so there is no point in calling suser/securelevel
routines from bsd44. This leads to unwanted cross-secmodel dependencies.
Do not call secmodel_bsd44_init() from secmodel_overlay_init(). Doing so
resets all curtain/securelevel values, which is not really needed when
loading an overlay filter.
Remove the secmodel_register/deregister comments, they will be
implemented differently in an upcoming patch.
ok elad@ (via private mail).
|
| 1.10 | 02-Oct-2009 |
elad | branches: 1.10.12;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.9 | 23-Feb-2008 |
elad | branches: 1.9.4;
Adapt to secmodel_securelevel.
|
| 1.8 | 16-Jan-2007 |
elad | branches: 1.8.20; 1.8.36; 1.8.40;
Use secmodel_register() and secmodel_deregister().
|
| 1.7 | 16-Jan-2007 |
elad | Implement secmodel_bsd44_start(), secmodel_bsd44_stop(), and
secmodel_overlay_start().
|
| 1.6 | 15-Jan-2007 |
elad | '&securelevel' -> 'NULL', pointed out by cube@, thanks!
|
| 1.5 | 09-Jan-2007 |
elad | Remove advertising clause from all of my stuff.
|
| 1.4 | 29-Dec-2006 |
elad | branches: 1.4.2;
Support device scope.
|
| 1.3 | 17-Sep-2006 |
elad | branches: 1.3.4; 1.3.6; 1.3.8;
Make the sysctl warnings on dmesg ("..returned 17") go away, after many
people didn't like them.
|
| 1.2 | 08-Sep-2006 |
elad | branches: 1.2.2;
Add __KERNEL_RCSID(), requested by and okay xtraeme@.
|
| 1.1 | 08-Sep-2006 |
elad | First take at security model abstraction.
- Add a few scopes to the kernel: system, network, and machdep.
- Add a few more actions/sub-actions (requests), and start using them as
opposed to the KAUTH_GENERIC_ISSUSER place-holders.
- Introduce a basic set of listeners that implement our "traditional"
security model, called "bsd44". This is the default (and only) model we
have at the moment.
- Update all relevant documentation.
- Add some code and docs to help folks who want to actually use this stuff:
* There's a sample overlay model, sitting on-top of "bsd44", for
fast experimenting with tweaking just a subset of an existing model.
This is pretty cool because it's *really* straightforward to do stuff
you had to use ugly hacks for until now...
* And of course, documentation describing how to do the above for quick
reference, including code samples.
All of these changes were tested for regressions using a Python-based
testsuite that will be (I hope) available soon via pkgsrc. Information
about the tests, and how to write new ones, can be found on:
http://kauth.linbsd.org/kauthwiki
NOTE FOR DEVELOPERS: *PLEASE* don't add any code that does any of the
following:
- Uses a KAUTH_GENERIC_ISSUSER kauth(9) request,
- Checks 'securelevel' directly,
- Checks a uid/gid directly.
(or if you feel you have to, contact me first)
This is still work in progress; It's far from being done, but now it'll
be a lot easier.
Relevant mailing list threads:
http://mail-index.netbsd.org/tech-security/2006/01/25/0011.html
http://mail-index.netbsd.org/tech-security/2006/03/24/0001.html
http://mail-index.netbsd.org/tech-security/2006/04/18/0000.html
http://mail-index.netbsd.org/tech-security/2006/05/15/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/01/0000.html
http://mail-index.netbsd.org/tech-security/2006/08/25/0000.html
Many thanks to YAMAMOTO Takashi, Matt Thomas, and Christos Zoulas for help
stablizing kauth(9).
Full credit for the regression tests, making sure these changes didn't break
anything, goes to Matt Fleming and Jaime Fournier.
Happy birthday Randi! :)
|
| 1.2.2.2 | 14-Sep-2006 |
yamt | sync with head.
|
| 1.2.2.1 | 08-Sep-2006 |
yamt | file secmodel_overlay.c was added on branch yamt-pdpolicy on 2006-09-14 12:32:00 +0000
|
| 1.3.8.1 | 03-Jun-2008 |
skrll | Sync with netbsd-4.
|
| 1.3.6.1 | 24-Mar-2008 |
bouyer | Pull up following revision(s) (requested by elad in ticket #1108):
sys/secmodel/overlay/secmodel_overlay.c: revision 1.4 via patch
sys/secmodel/overlay/overlay.h: revision 1.2
Support device scope.
|
| 1.3.4.4 | 01-Feb-2007 |
ad | Sync with head.
|
| 1.3.4.3 | 12-Jan-2007 |
ad | Sync with head.
|
| 1.3.4.2 | 18-Nov-2006 |
ad | Sync with head.
|
| 1.3.4.1 | 17-Sep-2006 |
ad | file secmodel_overlay.c was added on branch newlock2 on 2006-11-18 21:39:46 +0000
|
| 1.4.2.4 | 27-Feb-2008 |
yamt | sync with head.
|
| 1.4.2.3 | 26-Feb-2007 |
yamt | sync with head.
|
| 1.4.2.2 | 30-Dec-2006 |
yamt | sync with head.
|
| 1.4.2.1 | 29-Dec-2006 |
yamt | file secmodel_overlay.c was added on branch yamt-lazymbuf on 2006-12-30 20:50:55 +0000
|
| 1.8.40.1 | 03-Apr-2008 |
mjf | Sync with HEAD.
|
| 1.8.36.1 | 24-Mar-2008 |
keiichi | sync with head.
|
| 1.8.20.1 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.9.4.1 | 11-Mar-2010 |
yamt | sync with head
|
| 1.10.12.2 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.10.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.11.2.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.12.10.1 | 18-May-2014 |
rmind | sync with head
|
| 1.12.6.1 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.13.30.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.1 | 21-Nov-2007 |
elad | branches: 1.1.2; 1.1.4; 1.1.8; 1.1.16; 1.1.18;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1.18.2 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.1.18.1 | 21-Nov-2007 |
matt | file files.securelevel was added on branch matt-armv6 on 2008-01-09 01:58:03 +0000
|
| 1.1.16.2 | 21-Nov-2007 |
elad | Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1.16.1 | 21-Nov-2007 |
elad | file files.securelevel was added on branch mjf-devfs on 2007-11-21 22:49:10 +0000
|
| 1.1.8.2 | 07-Dec-2007 |
yamt | sync with head
|
| 1.1.8.1 | 21-Nov-2007 |
yamt | file files.securelevel was added on branch yamt-lazymbuf on 2007-12-07 17:34:50 +0000
|
| 1.1.4.2 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.1.4.1 | 21-Nov-2007 |
joerg | file files.securelevel was added on branch jmcneill-pm on 2007-11-27 19:39:09 +0000
|
| 1.1.2.2 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.1.2.1 | 21-Nov-2007 |
bouyer | file files.securelevel was added on branch bouyer-xenamd64 on 2007-11-22 15:38:35 +0000
|
| 1.37 | 05-Dec-2020 |
thorpej | Remove unnecessary inclusion of <sys/timevar.h>.
|
| 1.36 | 28-May-2020 |
riastradh | branches: 1.36.2;
Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2).
securelevel=1 is supposed to be a reasonable default for normal
computers. This got in the way of ever getting entropy from a seed
on a machine with no HWRNG -- e.g., from another machine, or by
making the executive decision that what has been sampled is good
enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
|
| 1.35 | 11-May-2020 |
alnsn | KAUTH_MACHDEP_SVS_DISABLE is deprecated.
sysctl machdep.svs.enabled can't be changed anymore
at runtime because it's now a boot option.
|
| 1.34 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.33 | 21-Feb-2020 |
joerg | Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
|
| 1.32 | 15-Jul-2018 |
maxv | branches: 1.32.4; 1.32.6;
Retire ipkdb entirely. The option was removed from the config files
yesterday.
ok kamil christos
|
| 1.31 | 26-Apr-2018 |
alnsn | branches: 1.31.2;
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).
Disabling SVS is denied at securelevel 1 and above.
|
| 1.30 | 25-Feb-2014 |
pooka | branches: 1.30.22; 1.30.28;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.29 | 28-Jan-2013 |
jym | branches: 1.29.2;
Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.28 | 27-Jun-2012 |
cheusov | branches: 1.28.2;
KNF fix. spaces vs. tab
|
| 1.27 | 13-Mar-2012 |
elad | Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.
Most of these changes were brought up in the following messages:
http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html
Thanks to christos, manu, njoly, and jmmv for input.
Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
|
| 1.26 | 17-Jan-2012 |
cegger | branches: 1.26.2; 1.26.6;
fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@
|
| 1.25 | 13-Jan-2012 |
cegger | Support CPU microcode loading via cpuctl(8).
Implemented and enabled via CPU_UCODE kernel config option
for x86 and Xen Dom0.
Tested on different AMD machines with different
CPU families.
ok wiz@ for the manpages
ok releng@
ok core@ via releng@
|
| 1.24 | 05-Dec-2011 |
jym | secmodel_eval(9) may want to access securelevel before it is set
to the right value, so init it first before registering secmodel(9).
|
| 1.23 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.22 | 28-Nov-2011 |
jym | branches: 1.22.2;
Whitespace fixes.
|
| 1.21 | 23-Nov-2011 |
tls | Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.
Goes to some trouble to never load or save to network filesystems.
Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.
|
| 1.20 | 07-Oct-2009 |
elad | branches: 1.20.12;
Compare against initproc, not pid 1, to check if it's init (unify).
|
| 1.19 | 06-Oct-2009 |
elad | Unify: >= 0 -> > -1.
|
| 1.18 | 06-Oct-2009 |
elad | Cosmetic changes to declarations. No functional change.
|
| 1.17 | 06-Oct-2009 |
elad | Factor out a block of code that appears in three places (Veriexec, keylock,
and securelevel) so that others can use it as well.
|
| 1.16 | 03-Oct-2009 |
elad | Introduce time_wraps() to check if setting the time will wrap it (or
close to it). Useful for secmodels.
Replace open-coded form with it in secmodel code (securelevel, keylock).
Note: I need to find a way to make secmodel_keylock.c ~<100 lines.
|
| 1.15 | 02-Oct-2009 |
elad | Create securelevel variable under securelevel node.
|
| 1.14 | 02-Oct-2009 |
elad | First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.13 | 03-Sep-2009 |
elad | Implement the vnode scope and adapt tmpfs to use it.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
|
| 1.12 | 25-Jul-2009 |
mbalmer | Extend the existing security models for upcoming gpio(4) changes.
Reviewed and feedback by Elad Efrat.
|
| 1.11 | 06-May-2009 |
elad | Sprinkle some switch defaults.
|
| 1.10 | 11-Jan-2009 |
christos | branches: 1.10.2;
merge christos-time_t
|
| 1.9 | 12-Nov-2008 |
ad | Remove LKMs and switch to the module framework, pass 1.
Proposed on tech-kern@.
|
| 1.8 | 23-Jan-2008 |
elad | branches: 1.8.6; 1.8.8; 1.8.12; 1.8.18; 1.8.20;
Tons of process scope changes.
- Add a KAUTH_PROCESS_SCHEDULER action, to handle scheduler related
requests, and add specific requests for set/get scheduler policy and
set/get scheduler parameters.
- Add a KAUTH_PROCESS_KEVENT_FILTER action, to handle kevent(2) related
requests.
- Add a KAUTH_DEVICE_TTY_STI action to handle requests to TIOCSTI.
- Add requests for the KAUTH_PROCESS_CANSEE action, indicating what
process information is being looked at (entry itself, args, env,
open files).
- Add requests for the KAUTH_PROCESS_RLIMIT action indicating set/get.
- Add requests for the KAUTH_PROCESS_CORENAME action indicating set/get.
- Make bsd44 secmodel code handle the newly added rqeuests appropriately.
All of the above make it possible to issue finer-grained kauth(9) calls in
many places, removing some KAUTH_GENERIC_ISSUSER requests.
- Remove the "CAN" from KAUTH_PROCESS_CAN{KTRACE,PROCFS,PTRACE,SIGNAL}.
Discussed with christos@ and yamt@.
|
| 1.7 | 16-Jan-2008 |
ad | Pull in my modules code for review/test/hacking.
|
| 1.6 | 14-Jan-2008 |
ad | vp->v_rdev, not vp->v_un.vu_specinfo->si_rdev.
|
| 1.5 | 31-Dec-2007 |
ad | branches: 1.5.2;
Remove systrace. Ok core@.
|
| 1.4 | 25-Nov-2007 |
elad | branches: 1.4.2; 1.4.6; 1.4.10; 1.4.14;
Deprecate KAUTH_REQ_SYSTEM_TIME_BACKWARDS, as it was merged into
KAUTH_REQ_SYSTEM_TIME_SYSTEM.
|
| 1.3 | 25-Nov-2007 |
elad | Refactor time modification checks and place them in the secmodel code.
okay christos@
|
| 1.2 | 24-Nov-2007 |
elad | Fix a long time issue where the securelevel secmodel would explicitly
allow certain operations.
The suser module of the bsd44 secmodel code was made aware of the missing
operations that were explicitly allowed in the securelevel module, and
the logic in the latter was modified to a default defer, deny where not
allowed.
This concept, which is the correct way to write secmodel code, was first
brought up by pavel@ a long time ago.
okay christos@.
|
| 1.1 | 21-Nov-2007 |
elad | branches: 1.1.2;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1.2.2 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.1.2.1 | 21-Nov-2007 |
bouyer | file secmodel_securelevel.c was added on branch bouyer-xenamd64 on 2007-11-22 15:38:35 +0000
|
| 1.4.14.2 | 18-Feb-2008 |
mjf | Sync with HEAD.
|
| 1.4.14.1 | 25-Nov-2007 |
mjf | file secmodel_securelevel.c was added on branch mjf-devfs on 2008-02-18 21:07:22 +0000
|
| 1.4.10.3 | 23-Jan-2008 |
bouyer | Sync with HEAD.
|
| 1.4.10.2 | 19-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.4.10.1 | 02-Jan-2008 |
bouyer | Sync with HEAD
|
| 1.4.6.4 | 04-Feb-2008 |
yamt | sync with head.
|
| 1.4.6.3 | 21-Jan-2008 |
yamt | sync with head
|
| 1.4.6.2 | 07-Dec-2007 |
yamt | sync with head
|
| 1.4.6.1 | 25-Nov-2007 |
yamt | file secmodel_securelevel.c was added on branch yamt-lazymbuf on 2007-12-07 17:34:50 +0000
|
| 1.4.2.2 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.4.2.1 | 25-Nov-2007 |
joerg | file secmodel_securelevel.c was added on branch jmcneill-pm on 2007-11-27 19:39:10 +0000
|
| 1.5.2.3 | 23-Mar-2008 |
matt | sync with HEAD
|
| 1.5.2.2 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.5.2.1 | 31-Dec-2007 |
matt | file secmodel_securelevel.c was added on branch matt-armv6 on 2008-01-09 01:58:03 +0000
|
| 1.8.20.1 | 19-Jan-2009 |
skrll | Sync with HEAD.
|
| 1.8.18.1 | 13-Dec-2008 |
haad | Update haad-dm branch to haad-dm-base2.
|
| 1.8.12.5 | 11-Mar-2010 |
yamt | sync with head
|
| 1.8.12.4 | 16-Sep-2009 |
yamt | sync with head
|
| 1.8.12.3 | 19-Aug-2009 |
yamt | sync with head.
|
| 1.8.12.2 | 16-May-2009 |
yamt | sync with head
|
| 1.8.12.1 | 04-May-2009 |
yamt | sync with head.
|
| 1.8.8.2 | 20-Nov-2008 |
christos | merge with head.
|
| 1.8.8.1 | 29-Mar-2008 |
christos | Welcome to the time_t=long long dev_t=uint64_t branch.
|
| 1.8.6.1 | 17-Jan-2009 |
mjf | Sync with HEAD.
|
| 1.10.2.1 | 13-May-2009 |
jym | Sync with HEAD.
Commit is split, to avoid a "too many arguments" protocol error.
|
| 1.20.12.3 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.20.12.2 | 30-Oct-2012 |
yamt | sync with head
|
| 1.20.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.22.2.2 | 05-Apr-2012 |
mrg | sync to latest -current.
|
| 1.22.2.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.26.6.1 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by jym in ticket #802):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.29
sys/secmodel/extensions/secmodel_extensions.c: revision 1.4
Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.26.2.1 | 08-Feb-2013 |
riz | Pull up following revision(s) (requested by jym in ticket #802):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.29
sys/secmodel/extensions/secmodel_extensions.c: revision 1.4
Re-instate backwards compatible security.models.bsd44.{curtain,securelevel}.
They were mistakenly removed when curtain and securelevel moved to
secmodel_extensions(9).
Reported by tls@ on tech-security@.
XXX will ask for pull-up for -6.
|
| 1.28.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.28.2.1 | 25-Feb-2013 |
tls | resync with head
|
| 1.29.2.1 | 18-May-2014 |
rmind | sync with head
|
| 1.30.28.2 | 28-Jul-2018 |
pgoyette | Sync with HEAD
|
| 1.30.28.1 | 02-May-2018 |
pgoyette | Synch with HEAD
|
| 1.30.22.1 | 05-May-2018 |
martin | Pull up following revision(s) (requested by alnsn in ticket #790):
share/man/man9/secmodel_securelevel.9: revision 1.16
sys/secmodel/suser/secmodel_suser.c: revision 1.44
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.31
sys/sys/kauth.h: revision 1.76
sys/arch/x86/x86/svs.c: revision 1.18
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).
Disabling SVS is denied at securelevel 1 and above.
Add SVS. It may not be disabled at securelevel 1 and above.
|
| 1.31.2.2 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.31.2.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.32.6.1 | 29-Feb-2020 |
ad | Sync with head.
|
| 1.32.4.1 | 17-Aug-2020 |
martin | Pull up following revision(s) (requested by riastradh in ticket #1053):
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.36
Accept ioctl(RNDADDDATA) estimates at securelevel 1 (but not 2).
securelevel=1 is supposed to be a reasonable default for normal
computers. This got in the way of ever getting entropy from a seed
on a machine with no HWRNG -- e.g., from another machine, or by
making the executive decision that what has been sampled is good
enough and issuing `head -c 32 < /dev/urandom > /dev/random'.
|
| 1.36.2.1 | 14-Dec-2020 |
thorpej | Sync w/ HEAD.
|
| 1.5 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.4 | 04-Dec-2011 |
jym | branches: 1.4.48;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.3 | 02-Oct-2009 |
elad | branches: 1.3.12; 1.3.16;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.2 | 03-Sep-2009 |
elad | Implement the vnode scope and adapt tmpfs to use it.
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/07/04/msg005404.html
|
| 1.1 | 21-Nov-2007 |
elad | branches: 1.1.2; 1.1.4; 1.1.8; 1.1.16; 1.1.18; 1.1.28;
Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1.28.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.1.28.1 | 16-Sep-2009 |
yamt | sync with head
|
| 1.1.18.2 | 09-Jan-2008 |
matt | sync with HEAD
|
| 1.1.18.1 | 21-Nov-2007 |
matt | file securelevel.h was added on branch matt-armv6 on 2008-01-09 01:58:04 +0000
|
| 1.1.16.2 | 21-Nov-2007 |
elad | Make securelevel a "secmodel" of its own.
While it's true that it's part of the traditional 4.4BSD security model,
there may come a time where a different "primary" security model used for
fine-grained privileges (ie., splitting root's responsibilities to various
privileges that can be assigned) may want to still have a securelevel
setting.
Idea from Daniel Carosone:
http://mail-index.netbsd.org/tech-security/2006/08/25/0001.html
The location of the removed files, for reference, was:
src/secmodel/bsd44/secmodel_bsd44_securelevel.c
src/secmodel/bsd44/securelevel.h
|
| 1.1.16.1 | 21-Nov-2007 |
elad | file securelevel.h was added on branch mjf-devfs on 2007-11-21 22:49:10 +0000
|
| 1.1.8.2 | 07-Dec-2007 |
yamt | sync with head
|
| 1.1.8.1 | 21-Nov-2007 |
yamt | file securelevel.h was added on branch yamt-lazymbuf on 2007-12-07 17:34:51 +0000
|
| 1.1.4.2 | 27-Nov-2007 |
joerg | Sync with HEAD. amd64 Xen support needs testing.
|
| 1.1.4.1 | 21-Nov-2007 |
joerg | file securelevel.h was added on branch jmcneill-pm on 2007-11-27 19:39:11 +0000
|
| 1.1.2.2 | 22-Nov-2007 |
bouyer | Sync with HEAD
|
| 1.1.2.1 | 21-Nov-2007 |
bouyer | file securelevel.h was added on branch bouyer-xenamd64 on 2007-11-22 15:38:36 +0000
|
| 1.3.16.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.3.12.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.4.48.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.1 | 02-Oct-2009 |
elad | branches: 1.1.4;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.1.4.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.1.4.1 | 02-Oct-2009 |
yamt | file files.suser was added on branch yamt-nfs-mp on 2010-03-11 15:04:41 +0000
|
| 1.58 | 01-Mar-2024 |
andvar | s/securlevel/securelevel/ in comment.
|
| 1.57 | 05-Jan-2023 |
jakllsch | wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.
Add kauth(9) enums for wg(4) and add use them in suser secmodel.
Refines fix for PR 57161.
|
| 1.56 | 05-Jan-2023 |
jakllsch | more strip(4) removal, this time in kauth(9)
|
| 1.55 | 08-Sep-2020 |
christos | branches: 1.55.20;
Add IP_BINDANY, IPV6_BINDANY which can be used to bind to any address in
order to implement transparent proxies.
|
| 1.54 | 16-May-2020 |
alnsn | Make it clear that only KAUTH_MACHDEP_SVS_DISABLE is deprecated.
|
| 1.53 | 11-May-2020 |
alnsn | KAUTH_MACHDEP_SVS_DISABLE is deprecated.
sysctl machdep.svs.enabled can't be changed anymore
at runtime because it's now a boot option.
|
| 1.52 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.51 | 21-Feb-2020 |
joerg | Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
|
| 1.50 | 10-Apr-2019 |
maxv | branches: 1.50.6;
Add the NVMM_CTL ioctl, always privileged regardless of the permissions of
/dev/nvmm. We'll use it to provide a way for an admin to control the
registered VMs in the kernel.
Add an associated wrapper in libnvmm.
|
| 1.49 | 05-Oct-2018 |
christos | Provide a sysctl kern.expose_address to expose kernel addresses in
sysctl structure returns for non-root. Defaults to off. Turning it
on will restore sockstat/fstat and friends for regular users.
|
| 1.48 | 04-Sep-2018 |
maxv | Introduce KAUTH_REQ_PROCESS_CANSEE_KPTR, and use it in the already-existing
modstat code. No real functional change.
|
| 1.47 | 25-Aug-2018 |
maxv | Add KAUTH_REQ_PROCESS_CANSEE_EPROC, and use it for the kern.proc node.
Same permission as before, so no functional change.
|
| 1.46 | 15-Jul-2018 |
maxv | Retire ipkdb entirely. The option was removed from the config files
yesterday.
ok kamil christos
|
| 1.45 | 13-Jul-2018 |
maxv | Remove KAUTH_MACHDEP_X86PMC, now unused.
|
| 1.44 | 26-Apr-2018 |
alnsn | branches: 1.44.2;
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).
Disabling SVS is denied at securelevel 1 and above.
|
| 1.43 | 14-Jun-2017 |
maxv | branches: 1.43.4;
Make the PMC syscalls privileged.
|
| 1.42 | 17-Aug-2015 |
knakahara | branches: 1.42.10;
Add kernel code to support intrctl(8).
|
| 1.41 | 25-Feb-2014 |
pooka | branches: 1.41.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.
Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
|
| 1.40 | 13-Nov-2012 |
pooka | branches: 1.40.2;
kill some -Wunused-but-set-variable warnings
|
| 1.39 | 13-Mar-2012 |
elad | branches: 1.39.2;
Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.
Most of these changes were brought up in the following messages:
http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html
Thanks to christos, manu, njoly, and jmmv for input.
Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
|
| 1.38 | 17-Jan-2012 |
cegger | fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@
|
| 1.37 | 13-Jan-2012 |
cegger | Support CPU microcode loading via cpuctl(8).
Implemented and enabled via CPU_UCODE kernel config option
for x86 and Xen Dom0.
Tested on different AMD machines with different
CPU families.
ok wiz@ for the manpages
ok releng@
ok core@ via releng@
|
| 1.36 | 04-Dec-2011 |
jym | Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.35 | 23-Nov-2011 |
tls | branches: 1.35.2;
Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.
Goes to some trouble to never load or save to network filesystems.
Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.
|
| 1.34 | 29-Dec-2009 |
elad | branches: 1.34.4; 1.34.14;
Use the socket credentials, now that we have them, instead of uidinfo.
|
| 1.33 | 24-Dec-2009 |
elad | Rename KAUTH_GENERIC_CANSEE to KAUTH_GENERIC_UNUSED1 and remove handling for
the former.
(I'll remove it from the header next time a kernel version bump happens.)
|
| 1.32 | 18-Nov-2009 |
stacktic | Fixed security.models.suser.curtain to deny when uid does not match.
OK pooka@
|
| 1.31 | 14-Nov-2009 |
elad | - Move kauth_init() a little bit higher.
- Add spec_init() to authorize special device actions (and passthru too for
the time being). Move policy out of secmodel_suser.
|
| 1.30 | 07-Oct-2009 |
elad | Extract usermount policy to its own routine.
|
| 1.29 | 06-Oct-2009 |
elad | Add a (weak aliased) machdep_init() as a place to do machdep initialization
that can't happen as early as the other init functions as called from
cpu_startup() -- for example, register kauth(9) listeners.
Put unprivileged policy in the x86 code; used by i386, amd64, and xen.
|
| 1.28 | 06-Oct-2009 |
elad | Allow root to do things that the subsystem allows as well (unify).
This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.
|
| 1.27 | 05-Oct-2009 |
elad | - Add usermount_common_policy() that implements some common (everything
but access control) user mounting policies: enforced MNT_NOSUID and
MNT_NODEV, no MNT_EXPORT, MNT_EXEC propagation. This can be useful for
secmodels that are interested in simply adding finer grained user mount
support.
- Add a mount subsystem listener for KAUTH_REQ_SYSTEM_MOUNT_GET.
|
| 1.26 | 03-Oct-2009 |
elad | Move KAUTH_NETWORK_BIND::KAUTH_REQ_NETWORK_BIND_PORT policy back to the
subsystem (or close to it).
Note: Revisit KAUTH_REQ_NETWORK_BIND_PRIVPORT.
|
| 1.25 | 03-Oct-2009 |
elad | Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem.
Note: Consider killing the signal listener and sticking
KAUTH_PROCESS_SIGNAL here as well.
|
| 1.24 | 03-Oct-2009 |
elad | One less include.
|
| 1.23 | 03-Oct-2009 |
elad | Make this file a little bit smaller by collapsing cases.
|
| 1.22 | 03-Oct-2009 |
elad | Move clockctl policy exception back to the subsystem.
|
| 1.21 | 03-Oct-2009 |
elad | secmodel_bsd44_curtain -> secmodel_suser_curtain (static).
|
| 1.20 | 03-Oct-2009 |
elad | Move default network interface policy back to the subsystem.
|
| 1.19 | 03-Oct-2009 |
elad | Finish moving socket policy to the subsystem.
|
| 1.18 | 03-Oct-2009 |
elad | Move sched policy back to the subsystem.
|
| 1.17 | 03-Oct-2009 |
elad | Move firewall/NAT policy back to respective subsystems (pf, ipf).
Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.
|
| 1.16 | 03-Oct-2009 |
elad | Move kevent policy back to the subsystem.
|
| 1.15 | 03-Oct-2009 |
elad | Put module loading policy back in the subsystem.
Revisit: consider moving kauth_init() above module_init() in main().
|
| 1.14 | 02-Oct-2009 |
elad | Put the tty opening policy back in the subsystem.
Remove include we don't need from the secmodel code.
|
| 1.13 | 02-Oct-2009 |
elad | Move some of the socket policy back to the subsystem.
Remove include we don't need in the secmodel code.
|
| 1.12 | 02-Oct-2009 |
elad | Put signal delivery policy back in the subsystem.
|
| 1.11 | 02-Oct-2009 |
elad | Remove includes we don't need.
|
| 1.10 | 02-Oct-2009 |
elad | Move routing socket security policy back to the subsystem.
|
| 1.9 | 02-Oct-2009 |
elad | - Squeeze function declarations where possible,
- KAUTH_RESULT_DEFER is the default (set at the beginning of each listener)
and as such does not need to be set explicitly in the switches.
|
| 1.8 | 02-Oct-2009 |
elad | Put procfs policy back in the subsystem.
|
| 1.7 | 02-Oct-2009 |
elad | Stick nice policy in its own subsystem and call the listener "resource"
rather than "rlimit"...
|
| 1.6 | 02-Oct-2009 |
elad | Move rlimit policy back to the subsystem.
For this we needed proc_uidmatch() exposed, which makes a lot of sense,
so put it back in sys_process.c for use in other places as well.
|
| 1.5 | 02-Oct-2009 |
elad | Move ptrace's security policy back to the subsystem itself.
Add a ptrace_init() so we have a place to register the listener; called
next to ktrinit().
|
| 1.4 | 02-Oct-2009 |
elad | Let the ipkdb subsystem allow operations related to it rather than wrongly
doing so in the suser secmodel.
|
| 1.3 | 02-Oct-2009 |
elad | Move psets security policy back to the subsystem and keep suser logic only
in the suser secmodel code.
|
| 1.2 | 02-Oct-2009 |
elad | Move ktrace's subsystem security policy to the subsystem itself, and keep
just the suser-related logic in the suser secmodel.
|
| 1.1 | 02-Oct-2009 |
elad | First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.34.14.3 | 22-May-2014 |
yamt | sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
|
| 1.34.14.2 | 16-Jan-2013 |
yamt | sync with (a bit old) head
|
| 1.34.14.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.34.4.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.34.4.1 | 29-Dec-2009 |
yamt | file secmodel_suser.c was added on branch yamt-nfs-mp on 2010-03-11 15:04:41 +0000
|
| 1.35.2.2 | 05-Apr-2012 |
mrg | sync to latest -current.
|
| 1.35.2.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.39.2.3 | 03-Dec-2017 |
jdolecek | update from HEAD
|
| 1.39.2.2 | 20-Aug-2014 |
tls | Rebase to HEAD as of a few days ago.
|
| 1.39.2.1 | 20-Nov-2012 |
tls | Resync to 2012-11-19 00:00:00 UTC
|
| 1.40.2.1 | 18-May-2014 |
rmind | sync with head
|
| 1.41.6.2 | 28-Aug-2017 |
skrll | Sync with HEAD
|
| 1.41.6.1 | 22-Sep-2015 |
skrll | Sync with HEAD
|
| 1.42.10.2 | 05-May-2018 |
martin | Pull up following revision(s) (requested by alnsn in ticket #790):
share/man/man9/secmodel_securelevel.9: revision 1.16
sys/secmodel/suser/secmodel_suser.c: revision 1.44
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.31
sys/sys/kauth.h: revision 1.76
sys/arch/x86/x86/svs.c: revision 1.18
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).
Disabling SVS is denied at securelevel 1 and above.
Add SVS. It may not be disabled at securelevel 1 and above.
|
| 1.42.10.1 | 01-Aug-2017 |
snj | Pull up following revision(s) (requested by maxv in ticket #164):
distrib/sets/lists/base/md.amd64: revision 1.269
distrib/sets/lists/debug/md.amd64: revision 1.97
sys/arch/amd64/conf/GENERIC: revision 1.460
sys/arch/amd64/conf/files.amd64: revision 1.89
sys/arch/i386/conf/GENERIC: revision 1.1157
sys/arch/i386/conf/files.i386: revision 1.379
sys/arch/i386/i386/i386_trap.S: revision 1.7-1.8
sys/arch/i386/include/frameasm.h: revision 1.16
sys/arch/x86/include/sysarch.h: revision 1.12
sys/arch/x86/x86/pmc.c: revision 1.8-1.10
sys/arch/x86/x86/sys_machdep.c: revision 1.36
sys/arch/xen/conf/files.compat: revision 1.26
sys/secmodel/suser/secmodel_suser.c: revision 1.43
sys/sys/kauth.h: revision 1.74
usr.bin/pmc/Makefile: revision 1.5
usr.bin/pmc/pmc.1: revision 1.12-1.13
usr.bin/pmc/pmc.c: revision 1.24-1.25
style
--
style
--
Disable interrupts for T_NMI (inline calltrap). Note that there's still a
way to evade the NMI mode here, if a segment register faults in
INTRFASTEXIT; but we don't care. I didn't test this change, but it seems
fine enough.
--
Make the PMC syscalls privileged.
--
Check argc, and add a message.
--
include opt_pmc.h
--
Build the pmc tool on amd64.
--
Properly handle overflows, and take them into account in userland.
--
Update.
--
Enable PMCs by default.
--
Sort sections. Fix macro usage.
|
| 1.43.4.4 | 20-Oct-2018 |
pgoyette | Sync with head
|
| 1.43.4.3 | 06-Sep-2018 |
pgoyette | Sync with HEAD
Resolve a couple of conflicts (result of the uimin/uimax changes)
|
| 1.43.4.2 | 28-Jul-2018 |
pgoyette | Sync with HEAD
|
| 1.43.4.1 | 02-May-2018 |
pgoyette | Synch with HEAD
|
| 1.44.2.2 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
| 1.44.2.1 | 10-Jun-2019 |
christos | Sync with HEAD
|
| 1.50.6.1 | 29-Feb-2020 |
ad | Sync with head.
|
| 1.55.20.2 | 13-Jan-2023 |
martin | Pull up following revision(s) (requested by jakllsch in ticket #49):
sys/secmodel/suser/secmodel_suser.c: revision 1.57
sys/sys/kauth.h: revision 1.89
sys/net/if_wg.c: revision 1.72
sys/net/if_wg.c: revision 1.73
sys/net/if_wg.c: revision 1.74
Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.
Add kauth(9) enums for wg(4) and add use them in suser secmodel.
Refines fix for PR 57161.
centralize the kauth ugliness.
|
| 1.55.20.1 | 13-Jan-2023 |
martin | Pull up following revision(s) (requested by jakllsch in ticket #45):
sys/secmodel/suser/secmodel_suser.c: revision 1.56
sys/sys/kauth.h: revision 1.88
sys/arch/sparc/conf/INSTALL: revision 1.106
share/examples/secmodel/secmodel_example.c: revision 1.29
sys/conf/files: revision 1.1306
remove lingering strip(4) remnants
more strip(4) removal, this time in kauth(9)
|
| 1.3 | 16-Mar-2020 |
pgoyette | Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.
Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
|
| 1.2 | 04-Dec-2011 |
jym | branches: 1.2.48;
Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.
When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:
bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;
This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.
Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.
Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.
We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).
The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.
Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.
Documentation is incoming, I am proof-reading my writings.
Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.
See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html
XXX might consider va0 mapping too.
XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
|
| 1.1 | 02-Oct-2009 |
elad | branches: 1.1.4; 1.1.14; 1.1.18;
First part of secmodel cleanup and other misc. changes:
- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was
src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h
- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).
- Add a "secmodel" module class and use it. Userland program and
documentation updated.
- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.
- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".
- Adapt the overlay secmodel to recent changes (mainly vnode scope).
- Stop using link-sets for the sysctl node(s) creation.
- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".
- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).
- Get rid of the LKM preprocessor stuff.
- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.
- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().
- 5.99.20.
Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).
Mailing list reference:
http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
|
| 1.1.18.1 | 18-Feb-2012 |
mrg | merge to -current.
|
| 1.1.14.1 | 17-Apr-2012 |
yamt | sync with head
|
| 1.1.4.2 | 11-Mar-2010 |
yamt | sync with head
|
| 1.1.4.1 | 02-Oct-2009 |
yamt | file suser.h was added on branch yamt-nfs-mp on 2010-03-11 15:04:41 +0000
|
| 1.2.48.1 | 08-Apr-2020 |
martin | Merge changes from current as of 20200406
|
