Home | History | Annotate | Download | only in suser
History log of /src/sys/secmodel/suser/secmodel_suser.c
RevisionDateAuthorComments
 1.58  01-Mar-2024  andvar s/securlevel/securelevel/ in comment.
 1.57  05-Jan-2023  jakllsch wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.

Add kauth(9) enums for wg(4) and add use them in suser secmodel.

Refines fix for PR 57161.
 1.56  05-Jan-2023  jakllsch more strip(4) removal, this time in kauth(9)
 1.55  08-Sep-2020  christos branches: 1.55.20;
Add IP_BINDANY, IPV6_BINDANY which can be used to bind to any address in
order to implement transparent proxies.
 1.54  16-May-2020  alnsn Make it clear that only KAUTH_MACHDEP_SVS_DISABLE is deprecated.
 1.53  11-May-2020  alnsn KAUTH_MACHDEP_SVS_DISABLE is deprecated.

sysctl machdep.svs.enabled can't be changed anymore
at runtime because it's now a boot option.
 1.52  16-Mar-2020  pgoyette Use the module subsystem's ability to process SYSCTL_SETUP() entries to
automate installation of sysctl nodes.

Note that there are still a number of device and pseudo-device modules
that create entries tied to individual device units, rather than to the
module itself. These are not changed.
 1.51  21-Feb-2020  joerg Explicitly cast pointers to uintptr_t before casting to enums. They are
not necessarily the same size. Don't cast pointers to bool, check for
NULL instead.
 1.50  10-Apr-2019  maxv branches: 1.50.6;
Add the NVMM_CTL ioctl, always privileged regardless of the permissions of
/dev/nvmm. We'll use it to provide a way for an admin to control the
registered VMs in the kernel.

Add an associated wrapper in libnvmm.
 1.49  05-Oct-2018  christos Provide a sysctl kern.expose_address to expose kernel addresses in
sysctl structure returns for non-root. Defaults to off. Turning it
on will restore sockstat/fstat and friends for regular users.
 1.48  04-Sep-2018  maxv Introduce KAUTH_REQ_PROCESS_CANSEE_KPTR, and use it in the already-existing
modstat code. No real functional change.
 1.47  25-Aug-2018  maxv Add KAUTH_REQ_PROCESS_CANSEE_EPROC, and use it for the kern.proc node.
Same permission as before, so no functional change.
 1.46  15-Jul-2018  maxv Retire ipkdb entirely. The option was removed from the config files
yesterday.

ok kamil christos
 1.45  13-Jul-2018  maxv Remove KAUTH_MACHDEP_X86PMC, now unused.
 1.44  26-Apr-2018  alnsn branches: 1.44.2;
Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).

Disabling SVS is denied at securelevel 1 and above.
 1.43  14-Jun-2017  maxv branches: 1.43.4;
Make the PMC syscalls privileged.
 1.42  17-Aug-2015  knakahara branches: 1.42.10;
Add kernel code to support intrctl(8).
 1.41  25-Feb-2014  pooka branches: 1.41.6;
Ensure that the top level sysctl nodes (kern, vfs, net, ...) exist before
the sysctl link sets are processed, and remove redundancy.

Shaves >13kB off of an amd64 GENERIC, not to mention >1k duplicate
lines of code.
 1.40  13-Nov-2012  pooka branches: 1.40.2;
kill some -Wunused-but-set-variable warnings
 1.39  13-Mar-2012  elad branches: 1.39.2;
Replace the remaining KAUTH_GENERIC_ISSUSER authorization calls with
something meaningful. All relevant documentation has been updated or
written.

Most of these changes were brought up in the following messages:

http://mail-index.netbsd.org/tech-kern/2012/01/18/msg012490.html
http://mail-index.netbsd.org/tech-kern/2012/01/19/msg012502.html
http://mail-index.netbsd.org/tech-kern/2012/02/17/msg012728.html

Thanks to christos, manu, njoly, and jmmv for input.

Huge thanks to pgoyette for spinning these changes through some build
cycles and ATF.
 1.38  17-Jan-2012  cegger fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@
 1.37  13-Jan-2012  cegger Support CPU microcode loading via cpuctl(8).
Implemented and enabled via CPU_UCODE kernel config option
for x86 and Xen Dom0.
Tested on different AMD machines with different
CPU families.

ok wiz@ for the manpages
ok releng@
ok core@ via releng@
 1.36  04-Dec-2011  jym Implement the register/deregister/evaluation API for secmodel(9). It
allows registration of callbacks that can be used later for
cross-secmodel "safe" communication.

When a secmodel wishes to know a property maintained by another
secmodel, it has to submit a request to it so the other secmodel can
proceed to evaluating the request. This is done through the
secmodel_eval(9) call; example:

bool isroot;
error = secmodel_eval("org.netbsd.secmodel.suser", "is-root",
cred, &isroot);
if (error == 0 && !isroot)
result = KAUTH_RESULT_DENY;

This one asks the suser module if the credentials are assumed to be root
when evaluated by suser module. If the module is present, it will
respond. If absent, the call will return an error.

Args and command are arbitrarily defined; it's up to the secmodel(9) to
document what it expects.

Typical example is securelevel testing: when someone wants to know
whether securelevel is raised above a certain level or not, the caller
has to request this property to the secmodel_securelevel(9) module.
Given that securelevel module may be absent from system's context (thus
making access to the global "securelevel" variable impossible or
unsafe), this API can cope with this absence and return an error.

We are using secmodel_eval(9) to implement a secmodel_extensions(9)
module, which plugs with the bsd44, suser and securelevel secmodels
to provide the logic behind curtain, usermount and user_set_cpu_affinity
modes, without adding hooks to traditional secmodels. This solves a
real issue with the current secmodel(9) code, as usermount or
user_set_cpu_affinity are not really tied to secmodel_suser(9).

The secmodel_eval(9) is also used to restrict security.models settings
when securelevel is above 0, through the "is-securelevel-above"
evaluation:
- curtain can be enabled any time, but cannot be disabled if
securelevel is above 0.
- usermount/user_set_cpu_affinity can be disabled any time, but cannot
be enabled if securelevel is above 0.

Regarding sysctl(7) entries:
curtain and usermount are now found under security.models.extensions
tree. The security.curtain and vfs.generic.usermount are still
accessible for backwards compat.

Documentation is incoming, I am proof-reading my writings.

Written by elad@, reviewed and tested (anita test + interact for rights
tests) by me. ok elad@.

See also
http://mail-index.netbsd.org/tech-security/2011/11/29/msg000422.html

XXX might consider va0 mapping too.

XXX Having a secmodel(9) specific printf (like aprint_*) for reporting
secmodel(9) errors might be a good idea, but I am not sure on how
to design such a function right now.
 1.35  23-Nov-2011  tls branches: 1.35.2;

Load entropy at system boot (only works at securelevel < 1); save
at system shutdown. Disable with random_seed=NO in rc.conf if desired.

Goes to some trouble to never load or save to network filesystems.

Entropy should really be loaded by the boot loader but I am still
sorting out how to pass it to the kernel.
 1.34  29-Dec-2009  elad branches: 1.34.4; 1.34.14;
Use the socket credentials, now that we have them, instead of uidinfo.
 1.33  24-Dec-2009  elad Rename KAUTH_GENERIC_CANSEE to KAUTH_GENERIC_UNUSED1 and remove handling for
the former.

(I'll remove it from the header next time a kernel version bump happens.)
 1.32  18-Nov-2009  stacktic Fixed security.models.suser.curtain to deny when uid does not match.
OK pooka@
 1.31  14-Nov-2009  elad - Move kauth_init() a little bit higher.

- Add spec_init() to authorize special device actions (and passthru too for
the time being). Move policy out of secmodel_suser.
 1.30  07-Oct-2009  elad Extract usermount policy to its own routine.
 1.29  06-Oct-2009  elad Add a (weak aliased) machdep_init() as a place to do machdep initialization
that can't happen as early as the other init functions as called from
cpu_startup() -- for example, register kauth(9) listeners.

Put unprivileged policy in the x86 code; used by i386, amd64, and xen.
 1.28  06-Oct-2009  elad Allow root to do things that the subsystem allows as well (unify).

This is important in the case someone manages to load the suser secmodel
and remove subsystem specific listeners; without this change they would
have ended up with a root user that can only do privileged operations.
 1.27  05-Oct-2009  elad - Add usermount_common_policy() that implements some common (everything
but access control) user mounting policies: enforced MNT_NOSUID and
MNT_NODEV, no MNT_EXPORT, MNT_EXEC propagation. This can be useful for
secmodels that are interested in simply adding finer grained user mount
support.

- Add a mount subsystem listener for KAUTH_REQ_SYSTEM_MOUNT_GET.
 1.26  03-Oct-2009  elad Move KAUTH_NETWORK_BIND::KAUTH_REQ_NETWORK_BIND_PORT policy back to the
subsystem (or close to it).

Note: Revisit KAUTH_REQ_NETWORK_BIND_PRIVPORT.
 1.25  03-Oct-2009  elad Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem.

Note: Consider killing the signal listener and sticking
KAUTH_PROCESS_SIGNAL here as well.
 1.24  03-Oct-2009  elad One less include.
 1.23  03-Oct-2009  elad Make this file a little bit smaller by collapsing cases.
 1.22  03-Oct-2009  elad Move clockctl policy exception back to the subsystem.
 1.21  03-Oct-2009  elad secmodel_bsd44_curtain -> secmodel_suser_curtain (static).
 1.20  03-Oct-2009  elad Move default network interface policy back to the subsystem.
 1.19  03-Oct-2009  elad Finish moving socket policy to the subsystem.
 1.18  03-Oct-2009  elad Move sched policy back to the subsystem.
 1.17  03-Oct-2009  elad Move firewall/NAT policy back to respective subsystems (pf, ipf).

Note: the ipf code contains a lot of ifdefs, some of them for NetBSD
versions that are no longer maintained. It won't make the code more
readable, but we should consider removing them.
 1.16  03-Oct-2009  elad Move kevent policy back to the subsystem.
 1.15  03-Oct-2009  elad Put module loading policy back in the subsystem.

Revisit: consider moving kauth_init() above module_init() in main().
 1.14  02-Oct-2009  elad Put the tty opening policy back in the subsystem.

Remove include we don't need from the secmodel code.
 1.13  02-Oct-2009  elad Move some of the socket policy back to the subsystem.

Remove include we don't need in the secmodel code.
 1.12  02-Oct-2009  elad Put signal delivery policy back in the subsystem.
 1.11  02-Oct-2009  elad Remove includes we don't need.
 1.10  02-Oct-2009  elad Move routing socket security policy back to the subsystem.
 1.9  02-Oct-2009  elad - Squeeze function declarations where possible,
- KAUTH_RESULT_DEFER is the default (set at the beginning of each listener)
and as such does not need to be set explicitly in the switches.
 1.8  02-Oct-2009  elad Put procfs policy back in the subsystem.
 1.7  02-Oct-2009  elad Stick nice policy in its own subsystem and call the listener "resource"
rather than "rlimit"...
 1.6  02-Oct-2009  elad Move rlimit policy back to the subsystem.

For this we needed proc_uidmatch() exposed, which makes a lot of sense,
so put it back in sys_process.c for use in other places as well.
 1.5  02-Oct-2009  elad Move ptrace's security policy back to the subsystem itself.

Add a ptrace_init() so we have a place to register the listener; called
next to ktrinit().
 1.4  02-Oct-2009  elad Let the ipkdb subsystem allow operations related to it rather than wrongly
doing so in the suser secmodel.
 1.3  02-Oct-2009  elad Move psets security policy back to the subsystem and keep suser logic only
in the suser secmodel code.
 1.2  02-Oct-2009  elad Move ktrace's subsystem security policy to the subsystem itself, and keep
just the suser-related logic in the suser secmodel.
 1.1  02-Oct-2009  elad First part of secmodel cleanup and other misc. changes:

- Separate the suser part of the bsd44 secmodel into its own secmodel
and directory, pending even more cleanups. For revision history
purposes, the original location of the files was

src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
src/sys/secmodel/bsd44/suser.h

- Add a man-page for secmodel_suser(9) and update the one for
secmodel_bsd44(9).

- Add a "secmodel" module class and use it. Userland program and
documentation updated.

- Manage secmodel count (nsecmodels) through the module framework.
This eliminates the need for secmodel_{,de}register() calls in
secmodel code.

- Prepare for secmodel modularization by adding relevant module bits.
The secmodels don't allow auto unload. The bsd44 secmodel depends
on the suser and securelevel secmodels. The overlay secmodel depends
on the bsd44 secmodel. As the module class is only cosmetic, and to
prevent ambiguity, the bsd44 and overlay secmodels are prefixed with
"secmodel_".

- Adapt the overlay secmodel to recent changes (mainly vnode scope).

- Stop using link-sets for the sysctl node(s) creation.

- Keep sysctl variables under nodes of their relevant secmodels. In
other words, don't create duplicates for the suser/securelevel
secmodels under the bsd44 secmodel, as the latter is merely used
for "grouping".

- For the suser and securelevel secmodels, "advertise presence" in
relevant sysctl nodes (sysctl.security.models.{suser,securelevel}).

- Get rid of the LKM preprocessor stuff.

- As secmodels are now modules, there's no need for an explicit call
to secmodel_start(); it's handled by the module framework. That
said, the module framework was adjusted to properly load secmodels
early during system startup.

- Adapt rump to changes: Instead of using empty stubs for securelevel,
simply use the suser secmodel. Also replace secmodel_start() with a
call to secmodel_suser_start().

- 5.99.20.

Testing was done on i386 ("release" build). Spearated module_init()
changes were tested on sparc and sparc64 as well by martin@ (thanks!).

Mailing list reference:

http://mail-index.netbsd.org/tech-kern/2009/09/25/msg006135.html
 1.34.14.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.34.14.2  16-Jan-2013  yamt sync with (a bit old) head
 1.34.14.1  17-Apr-2012  yamt sync with head
 1.34.4.2  11-Mar-2010  yamt sync with head
 1.34.4.1  29-Dec-2009  yamt file secmodel_suser.c was added on branch yamt-nfs-mp on 2010-03-11 15:04:41 +0000
 1.35.2.2  05-Apr-2012  mrg sync to latest -current.
 1.35.2.1  18-Feb-2012  mrg merge to -current.
 1.39.2.3  03-Dec-2017  jdolecek update from HEAD
 1.39.2.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.39.2.1  20-Nov-2012  tls Resync to 2012-11-19 00:00:00 UTC
 1.40.2.1  18-May-2014  rmind sync with head
 1.41.6.2  28-Aug-2017  skrll Sync with HEAD
 1.41.6.1  22-Sep-2015  skrll Sync with HEAD
 1.42.10.2  05-May-2018  martin Pull up following revision(s) (requested by alnsn in ticket #790):

share/man/man9/secmodel_securelevel.9: revision 1.16
sys/secmodel/suser/secmodel_suser.c: revision 1.44
sys/secmodel/securelevel/secmodel_securelevel.c: revision 1.31
sys/sys/kauth.h: revision 1.76
sys/arch/x86/x86/svs.c: revision 1.18

Add KAUTH_MACHDEP_SVS_DISABLE and add support to secmodel_securelevel(9).
Disabling SVS is denied at securelevel 1 and above.

Add SVS. It may not be disabled at securelevel 1 and above.
 1.42.10.1  01-Aug-2017  snj Pull up following revision(s) (requested by maxv in ticket #164):
distrib/sets/lists/base/md.amd64: revision 1.269
distrib/sets/lists/debug/md.amd64: revision 1.97
sys/arch/amd64/conf/GENERIC: revision 1.460
sys/arch/amd64/conf/files.amd64: revision 1.89
sys/arch/i386/conf/GENERIC: revision 1.1157
sys/arch/i386/conf/files.i386: revision 1.379
sys/arch/i386/i386/i386_trap.S: revision 1.7-1.8
sys/arch/i386/include/frameasm.h: revision 1.16
sys/arch/x86/include/sysarch.h: revision 1.12
sys/arch/x86/x86/pmc.c: revision 1.8-1.10
sys/arch/x86/x86/sys_machdep.c: revision 1.36
sys/arch/xen/conf/files.compat: revision 1.26
sys/secmodel/suser/secmodel_suser.c: revision 1.43
sys/sys/kauth.h: revision 1.74
usr.bin/pmc/Makefile: revision 1.5
usr.bin/pmc/pmc.1: revision 1.12-1.13
usr.bin/pmc/pmc.c: revision 1.24-1.25
style
--
style
--
Disable interrupts for T_NMI (inline calltrap). Note that there's still a
way to evade the NMI mode here, if a segment register faults in
INTRFASTEXIT; but we don't care. I didn't test this change, but it seems
fine enough.
--
Make the PMC syscalls privileged.
--
Check argc, and add a message.
--
include opt_pmc.h
--
Build the pmc tool on amd64.
--
Properly handle overflows, and take them into account in userland.
--
Update.
--
Enable PMCs by default.
--
Sort sections. Fix macro usage.
 1.43.4.4  20-Oct-2018  pgoyette Sync with head
 1.43.4.3  06-Sep-2018  pgoyette Sync with HEAD

Resolve a couple of conflicts (result of the uimin/uimax changes)
 1.43.4.2  28-Jul-2018  pgoyette Sync with HEAD
 1.43.4.1  02-May-2018  pgoyette Synch with HEAD
 1.44.2.2  08-Apr-2020  martin Merge changes from current as of 20200406
 1.44.2.1  10-Jun-2019  christos Sync with HEAD
 1.50.6.1  29-Feb-2020  ad Sync with head.
 1.55.20.2  13-Jan-2023  martin Pull up following revision(s) (requested by jakllsch in ticket #49):

sys/secmodel/suser/secmodel_suser.c: revision 1.57
sys/sys/kauth.h: revision 1.89
sys/net/if_wg.c: revision 1.72
sys/net/if_wg.c: revision 1.73
sys/net/if_wg.c: revision 1.74

Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.

wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.

Add kauth(9) enums for wg(4) and add use them in suser secmodel.

Refines fix for PR 57161.

centralize the kauth ugliness.
 1.55.20.1  13-Jan-2023  martin Pull up following revision(s) (requested by jakllsch in ticket #45):

sys/secmodel/suser/secmodel_suser.c: revision 1.56
sys/sys/kauth.h: revision 1.88
sys/arch/sparc/conf/INSTALL: revision 1.106
share/examples/secmodel/secmodel_example.c: revision 1.29
sys/conf/files: revision 1.1306

remove lingering strip(4) remnants

more strip(4) removal, this time in kauth(9)

RSS XML Feed