kern_auth.c revision 1.1.2.24 1 /* $NetBSD: kern_auth.c,v 1.1.2.24 2006/03/14 02:49:15 elad Exp $ */
2
3 /*-
4 * Copyright (c) 2005, 2006 Elad Efrat <elad (at) NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Elad Efrat.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 /*
34 * Todo:
35 * - Garbage collection to pool_put() unused scopes/listeners.
36 */
37
38 #include <sys/types.h>
39 #include <sys/param.h>
40 #include <sys/queue.h>
41 #include <sys/time.h>
42 #include <sys/proc.h>
43 #include <sys/ucred.h>
44 #include <sys/pool.h>
45 #include <sys/kauth.h>
46 #include <sys/acct.h>
47
48 /*
49 * Credentials.
50 */
51 struct kauth_cred {
52 struct simplelock cr_lock; /* lock */
53 uint32_t cr_refcnt; /* reference count */
54 uid_t cr_uid; /* user id */
55 uid_t cr_euid; /* effective user id */
56 uid_t cr_svuid; /* saved effective user id */
57 gid_t cr_gid; /* group id */
58 gid_t cr_egid; /* effective group id */
59 gid_t cr_svgid; /* saved effective group id */
60 uint16_t cr_ngroups; /* number of groups */
61 gid_t cr_groups[NGROUPS]; /* group memberships */
62 };
63
64 /*
65 * Listener.
66 */
67 struct kauth_listener {
68 kauth_scope_callback_t func; /* callback */
69 kauth_scope_t scope; /* scope backpointer */
70 uint32_t refcnt; /* reference count */
71 SIMPLEQ_ENTRY(kauth_listener) listener_next; /* listener list */
72 };
73
74 /*
75 * Scope.
76 */
77 struct kauth_scope {
78 const char *id; /* scope name */
79 void *cookie; /* user cookie */
80 uint32_t nlisteners; /* # of listeners */
81 SIMPLEQ_HEAD(, kauth_listener) listenq; /* listener list */
82 SIMPLEQ_ENTRY(kauth_scope) next_scope; /* scope list */
83 };
84
85 POOL_INIT(kauth_scope_pool, sizeof(struct kauth_scope), 0, 0, 0,
86 "kauth_scopepl", &pool_allocator_nointr);
87 POOL_INIT(kauth_listener_pool, sizeof(struct kauth_listener), 0, 0, 0,
88 "kauth_listenerpl", &pool_allocator_nointr);
89 POOL_INIT(kauth_cred_pool, sizeof(struct kauth_cred), 0, 0, 0,
90 "kauth_credpl", &pool_allocator_nointr);
91
92 /* List of scopes and its lock. */
93 SIMPLEQ_HEAD(, kauth_scope) scope_list;
94 struct simplelock scopes_lock;
95
96 /* Built-in scopes: generic, process. */
97 static kauth_scope_t kauth_builtin_scope_generic;
98 static kauth_scope_t kauth_builtin_scope_process;
99
100 /* Allocate new, empty kauth credentials. */
101 kauth_cred_t
102 kauth_cred_alloc(void) {
103 kauth_cred_t cred;
104
105 cred = pool_get(&kauth_cred_pool, PR_WAITOK);
106 memset(cred, 0, sizeof(*cred));
107 simple_lock_init(&cred->cr_lock);
108 cred->cr_refcnt = 1;
109
110 return (cred);
111 }
112
113 /* Increment reference count to cred. */
114 void
115 kauth_cred_hold(kauth_cred_t cred)
116 {
117 KASSERT(cred != NULL);
118
119 simple_lock(&cred->cr_lock);
120 cred->cr_refcnt++;
121 simple_unlock(&cred->cr_lock);
122 }
123
124 void
125 kauth_cred_destroy(kauth_cred_t cred)
126 {
127 KASSERT(cred != NULL);
128
129 pool_put(&kauth_cred_pool, cred);
130 }
131
132 /* Decrease reference count to cred. If reached zero, free it. */
133 void
134 kauth_cred_free(kauth_cred_t cred) {
135 KASSERT(cred != NULL);
136
137 simple_lock(&cred->cr_lock);
138 cred->cr_refcnt--;
139 simple_unlock(&cred->cr_lock);
140
141 if (cred->cr_refcnt == 0)
142 kauth_cred_destroy(cred);
143 }
144
145 void
146 kauth_cred_clone(kauth_cred_t from, kauth_cred_t to)
147 {
148 KASSERT(from != NULL);
149 KASSERT(to != NULL);
150
151 to->cr_uid = from->cr_uid;
152 to->cr_euid = from->cr_euid;
153 to->cr_svuid = from->cr_svuid;
154 to->cr_gid = from->cr_gid;
155 to->cr_egid = from->cr_egid;
156 to->cr_svgid = from->cr_svgid;
157 to->cr_ngroups = from->cr_ngroups;
158 memcpy(to->cr_groups, from->cr_groups,
159 sizeof(to->cr_groups));
160 }
161
162 /*
163 * Duplicate cred and return a new kauth_cred_t.
164 */
165 kauth_cred_t
166 kauth_cred_dup(kauth_cred_t cred)
167 {
168 kauth_cred_t new_cred;
169
170 KASSERT(cred != NULL);
171
172 new_cred = kauth_cred_alloc();
173
174 kauth_cred_clone(cred, new_cred);
175
176 return (new_cred);
177 }
178
179 /*
180 * Similar to crcopy(), only on a kauth_cred_t.
181 * XXX: Is this even needed? [kauth_cred_copy]
182 */
183 kauth_cred_t
184 kauth_cred_copy(kauth_cred_t cred)
185 {
186 kauth_cred_t new_cred;
187
188 KASSERT(cred != NULL);
189
190 /* If the provided credentials already have one reference, use them. */
191 if (cred->cr_refcnt == 1)
192 return (cred);
193
194 new_cred = kauth_cred_alloc();
195
196 kauth_cred_clone(cred, new_cred);
197
198 kauth_cred_free(cred);
199
200 return (new_cred);
201 }
202
203 uid_t
204 kauth_cred_getuid(kauth_cred_t cred)
205 {
206 KASSERT(cred != NULL);
207
208 return (cred->cr_uid);
209 }
210
211 uid_t
212 kauth_cred_geteuid(kauth_cred_t cred)
213 {
214 KASSERT(cred != NULL);
215
216 return (cred->cr_euid);
217 }
218
219 uid_t
220 kauth_cred_getsvuid(kauth_cred_t cred)
221 {
222 KASSERT(cred != NULL);
223
224 return (cred->cr_svuid);
225 }
226
227 gid_t
228 kauth_cred_getgid(kauth_cred_t cred)
229 {
230 KASSERT(cred != NULL);
231
232 return (cred->cr_gid);
233 }
234
235 gid_t
236 kauth_cred_getegid(kauth_cred_t cred)
237 {
238 KASSERT(cred != NULL);
239
240 return (cred->cr_egid);
241 }
242
243 gid_t
244 kauth_cred_getsvgid(kauth_cred_t cred)
245 {
246 KASSERT(cred != NULL);
247
248 return (cred->cr_svgid);
249 }
250
251 void
252 kauth_cred_setuid(kauth_cred_t cred, uid_t uid)
253 {
254 KASSERT(cred != NULL);
255 KASSERT(uid >= 0 && uid <= UID_MAX);
256
257 cred->cr_uid = uid;
258 }
259
260 void
261 kauth_cred_seteuid(kauth_cred_t cred, uid_t uid)
262 {
263 KASSERT(cred != NULL);
264 KASSERT(uid >= 0 && uid <= UID_MAX);
265
266 cred->cr_euid = uid;
267 }
268
269 void
270 kauth_cred_setsvuid(kauth_cred_t cred, uid_t uid)
271 {
272 KASSERT(cred != NULL);
273 KASSERT(uid >= 0 && uid <= UID_MAX);
274
275 cred->cr_svuid = uid;
276 }
277
278 void
279 kauth_cred_setgid(kauth_cred_t cred, gid_t gid)
280 {
281 KASSERT(cred != NULL);
282 KASSERT(gid >= 0 && gid <= GID_MAX);
283
284 cred->cr_gid = gid;
285 }
286
287 void
288 kauth_cred_setegid(kauth_cred_t cred, gid_t gid)
289 {
290 KASSERT(cred != NULL);
291 KASSERT(gid >= 0 && gid <= GID_MAX);
292
293 cred->cr_egid = gid;
294 }
295
296 void
297 kauth_cred_setsvgid(kauth_cred_t cred, gid_t gid)
298 {
299 KASSERT(cred != NULL);
300 KASSERT(gid >= 0 && gid <= GID_MAX);
301
302 cred->cr_svgid = gid;
303 }
304
305 /* Checks if gid is a member of the groups in cred. */
306 int
307 kauth_cred_ismember_gid(kauth_cred_t cred, gid_t gid, int *resultp)
308 {
309 int i;
310
311 KASSERT(cred != NULL);
312 KASSERT(gid >= 0 && gid <= GID_MAX);
313 KASSERT(resultp != NULL);
314
315 *resultp = 0;
316
317 for (i = 0; i < cred->cr_ngroups; i++)
318 if (cred->cr_groups[i] == gid) {
319 *resultp = 1;
320 break;
321 }
322
323 return (0);
324 }
325
326 uint16_t
327 kauth_cred_ngroups(kauth_cred_t cred)
328 {
329 KASSERT(cred != NULL);
330
331 return (cred->cr_ngroups);
332 }
333
334 /*
335 * Return the group at index idx from the groups in cred.
336 */
337 gid_t
338 kauth_cred_group(kauth_cred_t cred, uint16_t idx)
339 {
340 KASSERT(cred != NULL);
341 KASSERT(idx < cred->cr_ngroups);
342
343 return (cred->cr_groups[idx]);
344 }
345
346 /* XXX elad: gmuid is unused for now. */
347 int
348 kauth_cred_setgroups(kauth_cred_t cred, gid_t *grbuf, size_t len, uid_t gmuid)
349 {
350 KASSERT(cred != NULL);
351 KASSERT(len < sizeof(cred->cr_groups) / sizeof(cred->cr_groups[0]));
352
353 simple_lock(&cred->cr_lock);
354
355 if (len)
356 memcpy(cred->cr_groups, grbuf, len * sizeof(cred->cr_groups[0]));
357 memset(cred->cr_groups + len, 0xff,
358 sizeof(cred->cr_groups) - (len * sizeof(cred->cr_groups[0])));
359
360 cred->cr_ngroups = len;
361
362 simple_unlock(&cred->cr_lock);
363
364 return (0);
365 }
366
367 int
368 kauth_cred_getgroups(kauth_cred_t cred, gid_t *grbuf, size_t len)
369 {
370 KASSERT(cred != NULL);
371 KASSERT(len <= cred->cr_ngroups);
372
373 memset(grbuf, 0xff, sizeof(*grbuf) * len);
374 simple_lock(&cred->cr_lock);
375 memcpy(grbuf, cred->cr_groups, sizeof(*grbuf) * len);
376 simple_unlock(&cred->cr_lock);
377
378 return (0);
379 }
380
381 /*
382 * Match uids in two credentials. Checks if cred1 can access stuff owned by
383 * cred2.
384 * XXX: root bypasses this!
385 */
386 static int
387 kauth_cred_uidmatch(kauth_cred_t cred1, kauth_cred_t cred2)
388 {
389 KASSERT(cred1 != NULL);
390 KASSERT(cred2 != NULL);
391
392 /* Are we root? */
393 if (cred1->cr_euid == 0)
394 return (1);
395
396 if (cred1->cr_uid == cred2->cr_uid ||
397 cred1->cr_euid == cred2->cr_uid ||
398 cred1->cr_uid == cred2->cr_euid ||
399 cred1->cr_euid == cred2->cr_euid)
400 return (1);
401
402 return (0);
403 }
404
405 uint32_t
406 kauth_cred_getrefcnt(kauth_cred_t cred)
407 {
408 KASSERT(cred != NULL);
409
410 return (cred->cr_refcnt);
411 }
412
413 /*
414 * Convert userland credentials (struct uucred) to kauth_cred_t.
415 * XXX: For NFS code.
416 */
417 void
418 kauth_cred_uucvt(kauth_cred_t cred, const struct uucred *uuc)
419 {
420 KASSERT(cred != NULL);
421 KASSERT(uuc != NULL);
422
423 cred->cr_refcnt = 1;
424 cred->cr_uid = uuc->cr_uid;
425 cred->cr_euid = uuc->cr_uid;
426 cred->cr_svuid = uuc->cr_uid;
427 cred->cr_gid = uuc->cr_gid;
428 cred->cr_egid = uuc->cr_gid;
429 cred->cr_svgid = uuc->cr_gid;
430 cred->cr_ngroups = min(uuc->cr_ngroups, NGROUPS);
431 kauth_cred_setgroups(cred, __UNCONST(uuc->cr_groups),
432 cred->cr_ngroups, -1);
433 }
434
435 /*
436 * Compare kauth_cred_t and uucred credentials.
437 * XXX: Modelled after crcmp() for NFS.
438 */
439 int
440 kauth_cred_uucmp(kauth_cred_t cred, const struct uucred *uuc)
441 {
442 KASSERT(cred != NULL);
443 KASSERT(uuc != NULL);
444
445 if (cred->cr_euid == uuc->cr_uid &&
446 cred->cr_egid == uuc->cr_gid &&
447 cred->cr_ngroups == uuc->cr_ngroups) {
448 int i;
449
450 /* Check if all groups from uuc appear in cred. */
451 for (i = 0; i < uuc->cr_ngroups; i++) {
452 int ismember;
453
454 ismember = 0;
455 if (kauth_cred_ismember_gid(cred, uuc->cr_groups[i],
456 &ismember) != 0 || !ismember)
457 return (0);
458 }
459
460 return (1);
461 }
462
463 return (0);
464 }
465
466 /*
467 * Make a struct ucred out of a kauth_cred_t.
468 * XXX: For sysctl.
469 */
470 void
471 kauth_cred_toucred(kauth_cred_t cred, struct ucred *uc)
472 {
473 KASSERT(cred != NULL);
474 KASSERT(uc != NULL);
475
476 uc->cr_uid = cred->cr_euid;
477 uc->cr_gid = cred->cr_egid;
478 uc->cr_ngroups = min(cred->cr_ngroups,
479 sizeof(uc->cr_groups) / sizeof(uc->cr_groups[0]));
480 memcpy(uc->cr_groups, cred->cr_groups,
481 uc->cr_ngroups * sizeof(uc->cr_groups[0]));
482 }
483
484 /*
485 * Make a struct pcred out of a kauth_cred_t.
486 * XXX: For sysctl.
487 */
488 void
489 kauth_cred_topcred(kauth_cred_t cred, struct pcred *pc)
490 {
491 KASSERT(cred != NULL);
492 KASSERT(pc != NULL);
493
494 pc->pc_ucred = (struct ucred *)cred; /* XXX this is just wrong */
495 pc->p_ruid = cred->cr_uid;
496 pc->p_svuid = cred->cr_svuid;
497 pc->p_rgid = cred->cr_gid;
498 pc->p_svgid = cred->cr_svgid;
499 pc->p_refcnt = cred->cr_refcnt;
500 }
501
502 /*
503 * Return kauth_cred_t for the current process.
504 */
505 kauth_cred_t
506 kauth_cred_get(void)
507 {
508 return (curproc->p_cred);
509 }
510
511 /*
512 * Returns a scope matching the provided id.
513 * Requires the scope list lock to be held by the caller.
514 */
515 static kauth_scope_t
516 kauth_ifindscope(const char *id) {
517 kauth_scope_t scope;
518
519 /* XXX: assert lock on scope list? */
520
521 scope = NULL;
522 SIMPLEQ_FOREACH(scope, &scope_list, next_scope) {
523 if (strcmp(scope->id, id) == 0)
524 break;
525 }
526
527 return (scope);
528 }
529
530 /*
531 * Register a new scope.
532 *
533 * id - identifier for the scope
534 * callback - the scope's default listener
535 * cookie - cookie to be passed to the listener(s)
536 */
537 kauth_scope_t
538 kauth_register_scope(const char *id, kauth_scope_callback_t callback,
539 void *cookie)
540 {
541 kauth_scope_t scope;
542 kauth_listener_t listener;
543
544 /* Sanitize input */
545 if (id == NULL || callback == NULL)
546 return (NULL);
547
548 /* Allocate space for a new scope and listener. */
549 scope = pool_get(&kauth_scope_pool, PR_WAITOK);
550 listener = pool_get(&kauth_listener_pool, PR_WAITOK);
551
552 /* Acquire scope list lock. */
553 simple_lock(&scopes_lock);
554
555 /* Check we don't already have a scope with the same id */
556 if (kauth_ifindscope(id) != NULL) {
557 simple_unlock(&scopes_lock);
558
559 pool_put(&kauth_scope_pool, scope);
560 pool_put(&kauth_listener_pool, listener);
561
562 return (NULL);
563 }
564
565 /* Initialize new scope with parameters */
566 scope->id = id;
567 scope->cookie = cookie;
568 scope->nlisteners = 1;
569
570 /* Add default listener */
571 listener->func = callback;
572 listener->scope = scope;
573 listener->refcnt = 0;
574 SIMPLEQ_INIT(&scope->listenq);
575 SIMPLEQ_INSERT_HEAD(&scope->listenq, listener, listener_next);
576
577 /* Insert scope to scopes list */
578 if (SIMPLEQ_EMPTY(&scope_list))
579 SIMPLEQ_INSERT_HEAD(&scope_list, scope, next_scope);
580 else
581 SIMPLEQ_INSERT_TAIL(&scope_list, scope, next_scope);
582
583 simple_unlock(&scopes_lock);
584
585 return (scope);
586 }
587
588 /*
589 * Initialize the kernel authorization subsystem.
590 *
591 * Initialize the scopes list lock.
592 * Register built-in scopes: generic, process.
593 */
594 void
595 kauth_init(void)
596 {
597 simple_lock_init(&scopes_lock);
598
599 /* Register generic scope. */
600 kauth_builtin_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC,
601 kauth_authorize_cb_generic, NULL);
602
603 /* Register process scope. */
604 kauth_builtin_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS,
605 kauth_authorize_cb_process, NULL);
606 }
607
608 /*
609 * Deregister a scope.
610 * Requires scope list lock to be held by the caller.
611 *
612 * scope - the scope to deregister
613 */
614 void
615 kauth_deregister_scope(kauth_scope_t scope)
616 {
617 if (scope != NULL) {
618 /* Remove scope from list */
619 SIMPLEQ_REMOVE(&scope_list, scope, kauth_scope, next_scope);
620 }
621 }
622
623 /*
624 * Register a listener.
625 *
626 * id - scope identifier.
627 * callback - the callback routine for the listener.
628 * cookie - cookie to pass unmoidfied to the callback.
629 */
630 kauth_listener_t
631 kauth_listen_scope(const char *id, kauth_scope_callback_t callback,
632 void *cookie)
633 {
634 kauth_scope_t scope;
635 kauth_listener_t listener;
636
637 /* Find scope struct */
638 simple_lock(&scopes_lock);
639 scope = kauth_ifindscope(id);
640 simple_unlock(&scopes_lock);
641 if (scope == NULL)
642 return (NULL);
643
644 /* Allocate listener */
645 listener = pool_get(&kauth_listener_pool, PR_WAITOK);
646
647 /* Initialize listener with parameters */
648 listener->func = callback;
649 listener->refcnt = 0;
650
651 /* Add listener to scope */
652 SIMPLEQ_INSERT_TAIL(&scope->listenq, listener, listener_next);
653
654 /* Raise number of listeners on scope. */
655 scope->nlisteners++;
656 listener->scope = scope;
657
658 return (listener);
659 }
660
661 /*
662 * Deregister a listener.
663 *
664 * listener - listener reference as returned from kauth_listen_scope().
665 */
666 void
667 kauth_unlisten_scope(kauth_listener_t listener)
668 {
669 if (listener != NULL) {
670 SIMPLEQ_REMOVE(&listener->scope->listenq, listener, kauth_listener,
671 listener_next);
672 listener->scope->nlisteners--;
673 }
674 }
675
676 /*
677 * Authorize a request.
678 *
679 * scope - the scope of the request as defined by KAUTH_SCOPE_* or as
680 * returned from kauth_register_scope().
681 * credential - credentials of the user ("actor") making the request.
682 * action - request identifier.
683 * arg[0-3] - passed unmodified to listener(s).
684 */
685 int
686 kauth_authorize_action(kauth_scope_t scope, kauth_cred_t cred,
687 kauth_action_t action, void *arg0, void *arg1,
688 void *arg2, void *arg3)
689 {
690 kauth_listener_t listener;
691 int error, allow, fail;
692
693 /* Sanitize input */
694 if (scope == NULL || cred == NULL)
695 return (EFAULT);
696 if (!action)
697 return (EINVAL);
698
699 /*
700 * Each scope is associated with at least one listener. We need to
701 * traverse that list of listeners, as long as they return either
702 * KAUTH_REQUEST_DEFER or KAUTH_REQUEST_ALLOW.
703 */
704 fail = 0;
705 allow = 0;
706 SIMPLEQ_FOREACH(listener, &scope->listenq, listener_next) {
707 error = listener->func(cred, action, scope->cookie, arg0,
708 arg1, arg2, arg3);
709
710 if (error == KAUTH_RESULT_ALLOW)
711 allow = 1;
712 else if (error == KAUTH_RESULT_DENY)
713 fail = 1;
714 }
715
716 return ((allow && !fail) ? 0 : EPERM);
717 };
718
719 /*
720 * Generic scope default callback.
721 */
722 int
723 kauth_authorize_cb_generic(kauth_cred_t cred, kauth_action_t action,
724 void *cookie, void *arg0, void *arg1, void *arg2,
725 void *arg3)
726 {
727 int error;
728
729 error = KAUTH_RESULT_DEFER;
730
731 switch (action) {
732 case KAUTH_GENERIC_ISSUSER:
733 /* Check if credential belongs to superuser. */
734 if (cred->cr_euid == 0) {
735 u_short *acflag = (u_short *)arg0;
736
737 if (acflag != NULL)
738 *acflag |= ASU;
739
740 error = KAUTH_RESULT_ALLOW;
741 } else
742 error = KAUTH_RESULT_DENY;
743 break;
744 }
745
746 return (error);
747 }
748
749 /*
750 * Generic scope authorization wrapper.
751 */
752 int
753 kauth_authorize_generic(kauth_cred_t cred, kauth_action_t action, void *arg0)
754 {
755 return (kauth_authorize_action(kauth_builtin_scope_generic, cred,
756 action, arg0, NULL, NULL, NULL));
757 }
758
759 /*
760 * Process scope default callback.
761 */
762 int
763 kauth_authorize_cb_process(kauth_cred_t cred, kauth_action_t action,
764 void *cookie, void *arg0, void *arg1, void *arg2,
765 void *arg3)
766 {
767 struct proc *p;
768 kauth_cred_t cred2;
769 int error;
770
771 error = KAUTH_RESULT_DEFER;
772
773 p = arg0;
774 cred2 = arg1;
775
776 switch (action) {
777 case KAUTH_PROCESS_CANSIGNAL: {
778 struct proc *to;
779 int signum;
780
781 to = arg2;
782 signum = (int)(unsigned long)arg3;
783
784 if (kauth_cred_uidmatch(cred, cred2) ||
785 (signum == SIGCONT && (p->p_session == to->p_session)))
786 error = KAUTH_RESULT_ALLOW;
787 else
788 error = KAUTH_RESULT_DEFER;
789
790 break;
791 }
792
793 case KAUTH_PROCESS_CANPTRACE:
794 if (kauth_cred_uidmatch(cred, cred2))
795 error = KAUTH_RESULT_ALLOW;
796 else
797 error = KAUTH_RESULT_DENY;
798 break;
799
800 case KAUTH_PROCESS_CANSEE:
801 if (kauth_cred_uidmatch(cred, cred2))
802 error = KAUTH_RESULT_ALLOW;
803 else
804 error = KAUTH_RESULT_DENY;
805 /* arg2 - type of information [XXX NOTIMPL] */
806 break;
807 }
808
809 return (error);
810 }
811
812 /*
813 * Process scope authorization wrapper.
814 */
815 int
816 kauth_authorize_process(kauth_cred_t cred, kauth_action_t action,
817 struct proc *p, void *arg1, void *arg2, void *arg3)
818 {
819 return (kauth_authorize_action(kauth_builtin_scope_process, cred,
820 action, p, arg1, arg2, arg3));
821 }
822