secmodel_overlay.c revision 1.2.2.2
1 1.2.2.2 yamt /* $NetBSD: secmodel_overlay.c,v 1.2.2.2 2006/09/14 12:32:00 yamt Exp $ */ 2 1.2.2.2 yamt /*- 3 1.2.2.2 yamt * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 1.2.2.2 yamt * All rights reserved. 5 1.2.2.2 yamt * 6 1.2.2.2 yamt * Redistribution and use in source and binary forms, with or without 7 1.2.2.2 yamt * modification, are permitted provided that the following conditions 8 1.2.2.2 yamt * are met: 9 1.2.2.2 yamt * 1. Redistributions of source code must retain the above copyright 10 1.2.2.2 yamt * notice, this list of conditions and the following disclaimer. 11 1.2.2.2 yamt * 2. Redistributions in binary form must reproduce the above copyright 12 1.2.2.2 yamt * notice, this list of conditions and the following disclaimer in the 13 1.2.2.2 yamt * documentation and/or other materials provided with the distribution. 14 1.2.2.2 yamt * 3. All advertising materials mentioning features or use of this software 15 1.2.2.2 yamt * must display the following acknowledgement: 16 1.2.2.2 yamt * This product includes software developed by Elad Efrat. 17 1.2.2.2 yamt * 4. The name of the author may not be used to endorse or promote products 18 1.2.2.2 yamt * derived from this software without specific prior written permission. 19 1.2.2.2 yamt * 20 1.2.2.2 yamt * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 1.2.2.2 yamt * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 1.2.2.2 yamt * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 1.2.2.2 yamt * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 1.2.2.2 yamt * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 1.2.2.2 yamt * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 1.2.2.2 yamt * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 1.2.2.2 yamt * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 1.2.2.2 yamt * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 1.2.2.2 yamt * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 1.2.2.2 yamt */ 31 1.2.2.2 yamt 32 1.2.2.2 yamt #include <sys/cdefs.h> 33 1.2.2.2 yamt __KERNEL_RCSID(0, "$NetBSD: secmodel_overlay.c,v 1.2.2.2 2006/09/14 12:32:00 yamt Exp $"); 34 1.2.2.2 yamt 35 1.2.2.2 yamt #include <sys/types.h> 36 1.2.2.2 yamt #include <sys/param.h> 37 1.2.2.2 yamt #include <sys/kauth.h> 38 1.2.2.2 yamt 39 1.2.2.2 yamt #include <sys/sysctl.h> 40 1.2.2.2 yamt 41 1.2.2.2 yamt #include <secmodel/secmodel.h> 42 1.2.2.2 yamt #include <secmodel/overlay/overlay.h> 43 1.2.2.2 yamt 44 1.2.2.2 yamt #include <secmodel/bsd44/bsd44.h> 45 1.2.2.2 yamt #include <secmodel/bsd44/suser.h> 46 1.2.2.2 yamt #include <secmodel/bsd44/securelevel.h> 47 1.2.2.2 yamt 48 1.2.2.2 yamt /* 49 1.2.2.2 yamt * Fall-back settings. 50 1.2.2.2 yamt */ 51 1.2.2.2 yamt #define OVERLAY_ISCOPE_GENERIC "org.netbsd.kauth.overlay.generic" 52 1.2.2.2 yamt #define OVERLAY_ISCOPE_SYSTEM "org.netbsd.kauth.overlay.system" 53 1.2.2.2 yamt #define OVERLAY_ISCOPE_PROCESS "org.netbsd.kauth.overlay.process" 54 1.2.2.2 yamt #define OVERLAY_ISCOPE_NETWORK "org.netbsd.kauth.overlay.network" 55 1.2.2.2 yamt #define OVERLAY_ISCOPE_MACHDEP "org.netbsd.kauth.overlay.machdep" 56 1.2.2.2 yamt 57 1.2.2.2 yamt static kauth_scope_t secmodel_overlay_iscope_generic; 58 1.2.2.2 yamt static kauth_scope_t secmodel_overlay_iscope_system; 59 1.2.2.2 yamt static kauth_scope_t secmodel_overlay_iscope_process; 60 1.2.2.2 yamt static kauth_scope_t secmodel_overlay_iscope_network; 61 1.2.2.2 yamt static kauth_scope_t secmodel_overlay_iscope_machdep; 62 1.2.2.2 yamt 63 1.2.2.2 yamt extern int secmodel_bsd44_curtain; 64 1.2.2.2 yamt 65 1.2.2.2 yamt /* 66 1.2.2.2 yamt * Initialize the overlay security model. 67 1.2.2.2 yamt */ 68 1.2.2.2 yamt void 69 1.2.2.2 yamt secmodel_overlay_init(void) 70 1.2.2.2 yamt { 71 1.2.2.2 yamt /* 72 1.2.2.2 yamt * Register internal fall-back scopes. 73 1.2.2.2 yamt */ 74 1.2.2.2 yamt secmodel_overlay_iscope_generic = kauth_register_scope( 75 1.2.2.2 yamt OVERLAY_ISCOPE_GENERIC, NULL, NULL); 76 1.2.2.2 yamt secmodel_overlay_iscope_system = kauth_register_scope( 77 1.2.2.2 yamt OVERLAY_ISCOPE_SYSTEM, NULL, NULL); 78 1.2.2.2 yamt secmodel_overlay_iscope_process = kauth_register_scope( 79 1.2.2.2 yamt OVERLAY_ISCOPE_PROCESS, NULL, NULL); 80 1.2.2.2 yamt secmodel_overlay_iscope_network = kauth_register_scope( 81 1.2.2.2 yamt OVERLAY_ISCOPE_NETWORK, NULL, NULL); 82 1.2.2.2 yamt secmodel_overlay_iscope_machdep = kauth_register_scope( 83 1.2.2.2 yamt OVERLAY_ISCOPE_MACHDEP, NULL, NULL); 84 1.2.2.2 yamt 85 1.2.2.2 yamt /* 86 1.2.2.2 yamt * Register fall-back listeners, from bsd44, to each internal 87 1.2.2.2 yamt * fall-back scope. 88 1.2.2.2 yamt */ 89 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_GENERIC, 90 1.2.2.2 yamt secmodel_bsd44_suser_generic_cb, NULL); 91 1.2.2.2 yamt 92 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM, 93 1.2.2.2 yamt secmodel_bsd44_suser_system_cb, NULL); 94 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM, 95 1.2.2.2 yamt secmodel_bsd44_securelevel_system_cb, NULL); 96 1.2.2.2 yamt 97 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_PROCESS, 98 1.2.2.2 yamt secmodel_bsd44_suser_process_cb, NULL); 99 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_PROCESS, 100 1.2.2.2 yamt secmodel_bsd44_securelevel_process_cb, NULL); 101 1.2.2.2 yamt 102 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_NETWORK, 103 1.2.2.2 yamt secmodel_bsd44_suser_network_cb, NULL); 104 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_NETWORK, 105 1.2.2.2 yamt secmodel_bsd44_securelevel_network_cb, NULL); 106 1.2.2.2 yamt 107 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP, 108 1.2.2.2 yamt secmodel_bsd44_suser_machdep_cb, NULL); 109 1.2.2.2 yamt kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP, 110 1.2.2.2 yamt secmodel_bsd44_securelevel_machdep_cb, NULL); 111 1.2.2.2 yamt 112 1.2.2.2 yamt secmodel_bsd44_init(); 113 1.2.2.2 yamt } 114 1.2.2.2 yamt 115 1.2.2.2 yamt SYSCTL_SETUP(sysctl_security_overlay_setup, 116 1.2.2.2 yamt "sysctl security overlay setup") 117 1.2.2.2 yamt { 118 1.2.2.2 yamt const struct sysctlnode *rnode; 119 1.2.2.2 yamt 120 1.2.2.2 yamt sysctl_createv(clog, 0, NULL, &rnode, 121 1.2.2.2 yamt CTLFLAG_PERMANENT, 122 1.2.2.2 yamt CTLTYPE_NODE, "security", NULL, 123 1.2.2.2 yamt NULL, 0, NULL, 0, 124 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 125 1.2.2.2 yamt 126 1.2.2.2 yamt sysctl_createv(clog, 0, &rnode, &rnode, 127 1.2.2.2 yamt CTLFLAG_PERMANENT, 128 1.2.2.2 yamt CTLTYPE_NODE, "models", NULL, 129 1.2.2.2 yamt NULL, 0, NULL, 0, 130 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 131 1.2.2.2 yamt 132 1.2.2.2 yamt sysctl_createv(clog, 0, &rnode, &rnode, 133 1.2.2.2 yamt CTLFLAG_PERMANENT, 134 1.2.2.2 yamt CTLTYPE_NODE, "overlay", 135 1.2.2.2 yamt SYSCTL_DESCR("Overlay security model on-top of bsd44, "), 136 1.2.2.2 yamt NULL, 0, NULL, 0, 137 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 138 1.2.2.2 yamt 139 1.2.2.2 yamt sysctl_createv(clog, 0, &rnode, NULL, 140 1.2.2.2 yamt CTLFLAG_PERMANENT, 141 1.2.2.2 yamt CTLTYPE_STRING, "name", NULL, 142 1.2.2.2 yamt NULL, 0, __UNCONST("Overlay (on-top of bsd44)"), 0, 143 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 144 1.2.2.2 yamt 145 1.2.2.2 yamt sysctl_createv(clog, 0, &rnode, NULL, 146 1.2.2.2 yamt CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 147 1.2.2.2 yamt CTLTYPE_INT, "securelevel", 148 1.2.2.2 yamt SYSCTL_DESCR("System security level"), 149 1.2.2.2 yamt secmodel_bsd44_sysctl_securelevel, 0, &securelevel, 0, 150 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 151 1.2.2.2 yamt 152 1.2.2.2 yamt sysctl_createv(clog, 0, &rnode, NULL, 153 1.2.2.2 yamt CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 154 1.2.2.2 yamt CTLTYPE_INT, "curtain", 155 1.2.2.2 yamt SYSCTL_DESCR("Curtain information about objects to " 156 1.2.2.2 yamt "users not owning them."), 157 1.2.2.2 yamt NULL, 0, &secmodel_bsd44_curtain, 0, 158 1.2.2.2 yamt CTL_CREATE, CTL_EOL); 159 1.2.2.2 yamt } 160 1.2.2.2 yamt 161 1.2.2.2 yamt /* 162 1.2.2.2 yamt * Start the overlay security model. 163 1.2.2.2 yamt */ 164 1.2.2.2 yamt void 165 1.2.2.2 yamt secmodel_start(void) 166 1.2.2.2 yamt { 167 1.2.2.2 yamt secmodel_overlay_init(); 168 1.2.2.2 yamt 169 1.2.2.2 yamt kauth_listen_scope(KAUTH_SCOPE_GENERIC, 170 1.2.2.2 yamt secmodel_overlay_generic_cb, NULL); 171 1.2.2.2 yamt kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 172 1.2.2.2 yamt secmodel_overlay_system_cb, NULL); 173 1.2.2.2 yamt kauth_listen_scope(KAUTH_SCOPE_PROCESS, 174 1.2.2.2 yamt secmodel_overlay_process_cb, NULL); 175 1.2.2.2 yamt kauth_listen_scope(KAUTH_SCOPE_NETWORK, 176 1.2.2.2 yamt secmodel_overlay_network_cb, NULL); 177 1.2.2.2 yamt kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 178 1.2.2.2 yamt secmodel_overlay_machdep_cb, NULL); 179 1.2.2.2 yamt } 180 1.2.2.2 yamt 181 1.2.2.2 yamt /* 182 1.2.2.2 yamt * Overlay listener for the generic scope. 183 1.2.2.2 yamt */ 184 1.2.2.2 yamt int 185 1.2.2.2 yamt secmodel_overlay_generic_cb(kauth_cred_t cred, kauth_action_t action, 186 1.2.2.2 yamt void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 187 1.2.2.2 yamt { 188 1.2.2.2 yamt int result; 189 1.2.2.2 yamt 190 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 191 1.2.2.2 yamt 192 1.2.2.2 yamt switch (action) { 193 1.2.2.2 yamt default: 194 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 195 1.2.2.2 yamt break; 196 1.2.2.2 yamt } 197 1.2.2.2 yamt 198 1.2.2.2 yamt if (result == KAUTH_RESULT_DEFER) { 199 1.2.2.2 yamt result = kauth_authorize_action( 200 1.2.2.2 yamt secmodel_overlay_iscope_generic, cred, action, 201 1.2.2.2 yamt arg0, arg1, arg2, arg3); 202 1.2.2.2 yamt } 203 1.2.2.2 yamt 204 1.2.2.2 yamt return (result); 205 1.2.2.2 yamt } 206 1.2.2.2 yamt 207 1.2.2.2 yamt /* 208 1.2.2.2 yamt * Overlay listener for the system scope. 209 1.2.2.2 yamt */ 210 1.2.2.2 yamt int 211 1.2.2.2 yamt secmodel_overlay_system_cb(kauth_cred_t cred, kauth_action_t action, 212 1.2.2.2 yamt void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 213 1.2.2.2 yamt { 214 1.2.2.2 yamt int result; 215 1.2.2.2 yamt 216 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 217 1.2.2.2 yamt 218 1.2.2.2 yamt switch (action) { 219 1.2.2.2 yamt default: 220 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 221 1.2.2.2 yamt break; 222 1.2.2.2 yamt } 223 1.2.2.2 yamt 224 1.2.2.2 yamt if (result == KAUTH_RESULT_DEFER) { 225 1.2.2.2 yamt result = kauth_authorize_action( 226 1.2.2.2 yamt secmodel_overlay_iscope_system, cred, action, 227 1.2.2.2 yamt arg0, arg1, arg2, arg3); 228 1.2.2.2 yamt } 229 1.2.2.2 yamt 230 1.2.2.2 yamt return (result); 231 1.2.2.2 yamt } 232 1.2.2.2 yamt 233 1.2.2.2 yamt /* 234 1.2.2.2 yamt * Overlay listener for the process scope. 235 1.2.2.2 yamt */ 236 1.2.2.2 yamt int 237 1.2.2.2 yamt secmodel_overlay_process_cb(kauth_cred_t cred, kauth_action_t action, 238 1.2.2.2 yamt void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 239 1.2.2.2 yamt { 240 1.2.2.2 yamt int result; 241 1.2.2.2 yamt 242 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 243 1.2.2.2 yamt 244 1.2.2.2 yamt switch (action) { 245 1.2.2.2 yamt default: 246 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 247 1.2.2.2 yamt break; 248 1.2.2.2 yamt } 249 1.2.2.2 yamt 250 1.2.2.2 yamt if (result == KAUTH_RESULT_DEFER) { 251 1.2.2.2 yamt result = kauth_authorize_action( 252 1.2.2.2 yamt secmodel_overlay_iscope_process, cred, action, 253 1.2.2.2 yamt arg0, arg1, arg2, arg3); 254 1.2.2.2 yamt } 255 1.2.2.2 yamt 256 1.2.2.2 yamt return (result); 257 1.2.2.2 yamt } 258 1.2.2.2 yamt 259 1.2.2.2 yamt /* 260 1.2.2.2 yamt * Overlay listener for the network scope. 261 1.2.2.2 yamt */ 262 1.2.2.2 yamt int 263 1.2.2.2 yamt secmodel_overlay_network_cb(kauth_cred_t cred, kauth_action_t action, 264 1.2.2.2 yamt void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 265 1.2.2.2 yamt { 266 1.2.2.2 yamt int result; 267 1.2.2.2 yamt 268 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 269 1.2.2.2 yamt 270 1.2.2.2 yamt switch (action) { 271 1.2.2.2 yamt default: 272 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 273 1.2.2.2 yamt break; 274 1.2.2.2 yamt } 275 1.2.2.2 yamt 276 1.2.2.2 yamt if (result == KAUTH_RESULT_DEFER) { 277 1.2.2.2 yamt result = kauth_authorize_action( 278 1.2.2.2 yamt secmodel_overlay_iscope_network, cred, action, 279 1.2.2.2 yamt arg0, arg1, arg2, arg3); 280 1.2.2.2 yamt } 281 1.2.2.2 yamt 282 1.2.2.2 yamt return (result); 283 1.2.2.2 yamt } 284 1.2.2.2 yamt 285 1.2.2.2 yamt /* 286 1.2.2.2 yamt * Overlay listener for the machdep scope. 287 1.2.2.2 yamt */ 288 1.2.2.2 yamt int 289 1.2.2.2 yamt secmodel_overlay_machdep_cb(kauth_cred_t cred, kauth_action_t action, 290 1.2.2.2 yamt void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 291 1.2.2.2 yamt { 292 1.2.2.2 yamt int result; 293 1.2.2.2 yamt 294 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 295 1.2.2.2 yamt 296 1.2.2.2 yamt switch (action) { 297 1.2.2.2 yamt default: 298 1.2.2.2 yamt result = KAUTH_RESULT_DEFER; 299 1.2.2.2 yamt break; 300 1.2.2.2 yamt } 301 1.2.2.2 yamt 302 1.2.2.2 yamt if (result == KAUTH_RESULT_DEFER) { 303 1.2.2.2 yamt result = kauth_authorize_action( 304 1.2.2.2 yamt secmodel_overlay_iscope_machdep, cred, action, 305 1.2.2.2 yamt arg0, arg1, arg2, arg3); 306 1.2.2.2 yamt } 307 1.2.2.2 yamt 308 1.2.2.2 yamt return (result); 309 1.2.2.2 yamt } 310
Indexes created Wed Oct 22 13:09:56 GMT 2025