secmodel_overlay.c revision 1.8.20.1
1 1.8.20.1 matt /* secmodel_overlay.c,v 1.8 2007/01/16 11:53:00 elad Exp */ 2 1.1 elad /*- 3 1.1 elad * Copyright (c) 2006 Elad Efrat <elad (at) NetBSD.org> 4 1.1 elad * All rights reserved. 5 1.1 elad * 6 1.1 elad * Redistribution and use in source and binary forms, with or without 7 1.1 elad * modification, are permitted provided that the following conditions 8 1.1 elad * are met: 9 1.1 elad * 1. Redistributions of source code must retain the above copyright 10 1.1 elad * notice, this list of conditions and the following disclaimer. 11 1.1 elad * 2. Redistributions in binary form must reproduce the above copyright 12 1.1 elad * notice, this list of conditions and the following disclaimer in the 13 1.1 elad * documentation and/or other materials provided with the distribution. 14 1.5 elad * 3. The name of the author may not be used to endorse or promote products 15 1.1 elad * derived from this software without specific prior written permission. 16 1.1 elad * 17 1.1 elad * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 1.1 elad * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 1.1 elad * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 1.1 elad * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 1.1 elad * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 1.1 elad * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 1.1 elad * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 1.1 elad * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 1.1 elad * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 1.1 elad * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 1.1 elad */ 28 1.1 elad 29 1.2 elad #include <sys/cdefs.h> 30 1.8.20.1 matt __KERNEL_RCSID(0, "secmodel_overlay.c,v 1.8 2007/01/16 11:53:00 elad Exp"); 31 1.2 elad 32 1.1 elad #include <sys/types.h> 33 1.1 elad #include <sys/param.h> 34 1.1 elad #include <sys/kauth.h> 35 1.1 elad 36 1.1 elad #include <sys/sysctl.h> 37 1.1 elad 38 1.1 elad #include <secmodel/secmodel.h> 39 1.1 elad #include <secmodel/overlay/overlay.h> 40 1.1 elad 41 1.1 elad #include <secmodel/bsd44/bsd44.h> 42 1.1 elad #include <secmodel/bsd44/suser.h> 43 1.8.20.1 matt 44 1.8.20.1 matt #include <secmodel/securelevel/securelevel.h> 45 1.1 elad 46 1.1 elad /* 47 1.1 elad * Fall-back settings. 48 1.1 elad */ 49 1.1 elad #define OVERLAY_ISCOPE_GENERIC "org.netbsd.kauth.overlay.generic" 50 1.1 elad #define OVERLAY_ISCOPE_SYSTEM "org.netbsd.kauth.overlay.system" 51 1.1 elad #define OVERLAY_ISCOPE_PROCESS "org.netbsd.kauth.overlay.process" 52 1.1 elad #define OVERLAY_ISCOPE_NETWORK "org.netbsd.kauth.overlay.network" 53 1.1 elad #define OVERLAY_ISCOPE_MACHDEP "org.netbsd.kauth.overlay.machdep" 54 1.4 elad #define OVERLAY_ISCOPE_DEVICE "org.netbsd.kauth.overlay.device" 55 1.1 elad 56 1.1 elad static kauth_scope_t secmodel_overlay_iscope_generic; 57 1.1 elad static kauth_scope_t secmodel_overlay_iscope_system; 58 1.1 elad static kauth_scope_t secmodel_overlay_iscope_process; 59 1.1 elad static kauth_scope_t secmodel_overlay_iscope_network; 60 1.1 elad static kauth_scope_t secmodel_overlay_iscope_machdep; 61 1.4 elad static kauth_scope_t secmodel_overlay_iscope_device; 62 1.1 elad 63 1.1 elad extern int secmodel_bsd44_curtain; 64 1.1 elad 65 1.1 elad /* 66 1.1 elad * Initialize the overlay security model. 67 1.1 elad */ 68 1.1 elad void 69 1.1 elad secmodel_overlay_init(void) 70 1.1 elad { 71 1.1 elad /* 72 1.1 elad * Register internal fall-back scopes. 73 1.1 elad */ 74 1.1 elad secmodel_overlay_iscope_generic = kauth_register_scope( 75 1.1 elad OVERLAY_ISCOPE_GENERIC, NULL, NULL); 76 1.1 elad secmodel_overlay_iscope_system = kauth_register_scope( 77 1.1 elad OVERLAY_ISCOPE_SYSTEM, NULL, NULL); 78 1.1 elad secmodel_overlay_iscope_process = kauth_register_scope( 79 1.1 elad OVERLAY_ISCOPE_PROCESS, NULL, NULL); 80 1.1 elad secmodel_overlay_iscope_network = kauth_register_scope( 81 1.1 elad OVERLAY_ISCOPE_NETWORK, NULL, NULL); 82 1.1 elad secmodel_overlay_iscope_machdep = kauth_register_scope( 83 1.1 elad OVERLAY_ISCOPE_MACHDEP, NULL, NULL); 84 1.4 elad secmodel_overlay_iscope_device = kauth_register_scope( 85 1.4 elad OVERLAY_ISCOPE_DEVICE, NULL, NULL); 86 1.1 elad 87 1.1 elad /* 88 1.1 elad * Register fall-back listeners, from bsd44, to each internal 89 1.1 elad * fall-back scope. 90 1.1 elad */ 91 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_GENERIC, 92 1.1 elad secmodel_bsd44_suser_generic_cb, NULL); 93 1.1 elad 94 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM, 95 1.1 elad secmodel_bsd44_suser_system_cb, NULL); 96 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM, 97 1.8.20.1 matt secmodel_securelevel_system_cb, NULL); 98 1.1 elad 99 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_PROCESS, 100 1.1 elad secmodel_bsd44_suser_process_cb, NULL); 101 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_PROCESS, 102 1.8.20.1 matt secmodel_securelevel_process_cb, NULL); 103 1.1 elad 104 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_NETWORK, 105 1.1 elad secmodel_bsd44_suser_network_cb, NULL); 106 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_NETWORK, 107 1.8.20.1 matt secmodel_securelevel_network_cb, NULL); 108 1.1 elad 109 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP, 110 1.1 elad secmodel_bsd44_suser_machdep_cb, NULL); 111 1.1 elad kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP, 112 1.8.20.1 matt secmodel_securelevel_machdep_cb, NULL); 113 1.1 elad 114 1.4 elad kauth_listen_scope(OVERLAY_ISCOPE_DEVICE, 115 1.4 elad secmodel_bsd44_suser_device_cb, NULL); 116 1.4 elad kauth_listen_scope(OVERLAY_ISCOPE_DEVICE, 117 1.8.20.1 matt secmodel_securelevel_device_cb, NULL); 118 1.4 elad 119 1.1 elad secmodel_bsd44_init(); 120 1.1 elad } 121 1.1 elad 122 1.1 elad SYSCTL_SETUP(sysctl_security_overlay_setup, 123 1.1 elad "sysctl security overlay setup") 124 1.1 elad { 125 1.1 elad const struct sysctlnode *rnode; 126 1.1 elad 127 1.1 elad sysctl_createv(clog, 0, NULL, &rnode, 128 1.1 elad CTLFLAG_PERMANENT, 129 1.1 elad CTLTYPE_NODE, "security", NULL, 130 1.1 elad NULL, 0, NULL, 0, 131 1.3 elad CTL_SECURITY, CTL_EOL); 132 1.1 elad 133 1.1 elad sysctl_createv(clog, 0, &rnode, &rnode, 134 1.1 elad CTLFLAG_PERMANENT, 135 1.1 elad CTLTYPE_NODE, "models", NULL, 136 1.1 elad NULL, 0, NULL, 0, 137 1.1 elad CTL_CREATE, CTL_EOL); 138 1.1 elad 139 1.1 elad sysctl_createv(clog, 0, &rnode, &rnode, 140 1.1 elad CTLFLAG_PERMANENT, 141 1.1 elad CTLTYPE_NODE, "overlay", 142 1.1 elad SYSCTL_DESCR("Overlay security model on-top of bsd44, "), 143 1.1 elad NULL, 0, NULL, 0, 144 1.1 elad CTL_CREATE, CTL_EOL); 145 1.1 elad 146 1.1 elad sysctl_createv(clog, 0, &rnode, NULL, 147 1.1 elad CTLFLAG_PERMANENT, 148 1.1 elad CTLTYPE_STRING, "name", NULL, 149 1.1 elad NULL, 0, __UNCONST("Overlay (on-top of bsd44)"), 0, 150 1.1 elad CTL_CREATE, CTL_EOL); 151 1.1 elad 152 1.1 elad sysctl_createv(clog, 0, &rnode, NULL, 153 1.1 elad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 154 1.1 elad CTLTYPE_INT, "securelevel", 155 1.1 elad SYSCTL_DESCR("System security level"), 156 1.8.20.1 matt secmodel_securelevel_sysctl, 0, NULL, 0, 157 1.1 elad CTL_CREATE, CTL_EOL); 158 1.1 elad 159 1.1 elad sysctl_createv(clog, 0, &rnode, NULL, 160 1.1 elad CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 161 1.1 elad CTLTYPE_INT, "curtain", 162 1.1 elad SYSCTL_DESCR("Curtain information about objects to " 163 1.1 elad "users not owning them."), 164 1.1 elad NULL, 0, &secmodel_bsd44_curtain, 0, 165 1.1 elad CTL_CREATE, CTL_EOL); 166 1.1 elad } 167 1.1 elad 168 1.1 elad /* 169 1.1 elad * Start the overlay security model. 170 1.1 elad */ 171 1.1 elad void 172 1.7 elad secmodel_overlay_start(void) 173 1.1 elad { 174 1.1 elad secmodel_overlay_init(); 175 1.1 elad 176 1.1 elad kauth_listen_scope(KAUTH_SCOPE_GENERIC, 177 1.1 elad secmodel_overlay_generic_cb, NULL); 178 1.1 elad kauth_listen_scope(KAUTH_SCOPE_SYSTEM, 179 1.1 elad secmodel_overlay_system_cb, NULL); 180 1.1 elad kauth_listen_scope(KAUTH_SCOPE_PROCESS, 181 1.1 elad secmodel_overlay_process_cb, NULL); 182 1.1 elad kauth_listen_scope(KAUTH_SCOPE_NETWORK, 183 1.1 elad secmodel_overlay_network_cb, NULL); 184 1.1 elad kauth_listen_scope(KAUTH_SCOPE_MACHDEP, 185 1.1 elad secmodel_overlay_machdep_cb, NULL); 186 1.4 elad kauth_listen_scope(KAUTH_SCOPE_DEVICE, 187 1.4 elad secmodel_overlay_device_cb, NULL); 188 1.8 elad 189 1.8 elad secmodel_register(); 190 1.1 elad } 191 1.1 elad 192 1.7 elad void 193 1.7 elad secmodel_start(void) 194 1.7 elad { 195 1.7 elad secmodel_overlay_start(); 196 1.7 elad } 197 1.7 elad 198 1.1 elad /* 199 1.1 elad * Overlay listener for the generic scope. 200 1.1 elad */ 201 1.1 elad int 202 1.1 elad secmodel_overlay_generic_cb(kauth_cred_t cred, kauth_action_t action, 203 1.1 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 204 1.1 elad { 205 1.1 elad int result; 206 1.1 elad 207 1.1 elad result = KAUTH_RESULT_DEFER; 208 1.1 elad 209 1.1 elad switch (action) { 210 1.1 elad default: 211 1.1 elad result = KAUTH_RESULT_DEFER; 212 1.1 elad break; 213 1.1 elad } 214 1.1 elad 215 1.1 elad if (result == KAUTH_RESULT_DEFER) { 216 1.1 elad result = kauth_authorize_action( 217 1.1 elad secmodel_overlay_iscope_generic, cred, action, 218 1.1 elad arg0, arg1, arg2, arg3); 219 1.1 elad } 220 1.1 elad 221 1.1 elad return (result); 222 1.1 elad } 223 1.1 elad 224 1.1 elad /* 225 1.1 elad * Overlay listener for the system scope. 226 1.1 elad */ 227 1.1 elad int 228 1.1 elad secmodel_overlay_system_cb(kauth_cred_t cred, kauth_action_t action, 229 1.1 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 230 1.1 elad { 231 1.1 elad int result; 232 1.1 elad 233 1.1 elad result = KAUTH_RESULT_DEFER; 234 1.1 elad 235 1.1 elad switch (action) { 236 1.1 elad default: 237 1.1 elad result = KAUTH_RESULT_DEFER; 238 1.1 elad break; 239 1.1 elad } 240 1.1 elad 241 1.1 elad if (result == KAUTH_RESULT_DEFER) { 242 1.1 elad result = kauth_authorize_action( 243 1.1 elad secmodel_overlay_iscope_system, cred, action, 244 1.1 elad arg0, arg1, arg2, arg3); 245 1.1 elad } 246 1.1 elad 247 1.1 elad return (result); 248 1.1 elad } 249 1.1 elad 250 1.1 elad /* 251 1.1 elad * Overlay listener for the process scope. 252 1.1 elad */ 253 1.1 elad int 254 1.1 elad secmodel_overlay_process_cb(kauth_cred_t cred, kauth_action_t action, 255 1.1 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 256 1.1 elad { 257 1.1 elad int result; 258 1.1 elad 259 1.1 elad result = KAUTH_RESULT_DEFER; 260 1.1 elad 261 1.1 elad switch (action) { 262 1.1 elad default: 263 1.1 elad result = KAUTH_RESULT_DEFER; 264 1.1 elad break; 265 1.1 elad } 266 1.1 elad 267 1.1 elad if (result == KAUTH_RESULT_DEFER) { 268 1.1 elad result = kauth_authorize_action( 269 1.1 elad secmodel_overlay_iscope_process, cred, action, 270 1.1 elad arg0, arg1, arg2, arg3); 271 1.1 elad } 272 1.1 elad 273 1.1 elad return (result); 274 1.1 elad } 275 1.1 elad 276 1.1 elad /* 277 1.1 elad * Overlay listener for the network scope. 278 1.1 elad */ 279 1.1 elad int 280 1.1 elad secmodel_overlay_network_cb(kauth_cred_t cred, kauth_action_t action, 281 1.1 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 282 1.1 elad { 283 1.1 elad int result; 284 1.1 elad 285 1.1 elad result = KAUTH_RESULT_DEFER; 286 1.1 elad 287 1.1 elad switch (action) { 288 1.1 elad default: 289 1.1 elad result = KAUTH_RESULT_DEFER; 290 1.1 elad break; 291 1.1 elad } 292 1.1 elad 293 1.1 elad if (result == KAUTH_RESULT_DEFER) { 294 1.1 elad result = kauth_authorize_action( 295 1.1 elad secmodel_overlay_iscope_network, cred, action, 296 1.1 elad arg0, arg1, arg2, arg3); 297 1.1 elad } 298 1.1 elad 299 1.1 elad return (result); 300 1.1 elad } 301 1.1 elad 302 1.1 elad /* 303 1.1 elad * Overlay listener for the machdep scope. 304 1.1 elad */ 305 1.1 elad int 306 1.1 elad secmodel_overlay_machdep_cb(kauth_cred_t cred, kauth_action_t action, 307 1.1 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 308 1.1 elad { 309 1.1 elad int result; 310 1.1 elad 311 1.1 elad result = KAUTH_RESULT_DEFER; 312 1.1 elad 313 1.1 elad switch (action) { 314 1.1 elad default: 315 1.1 elad result = KAUTH_RESULT_DEFER; 316 1.1 elad break; 317 1.1 elad } 318 1.1 elad 319 1.1 elad if (result == KAUTH_RESULT_DEFER) { 320 1.1 elad result = kauth_authorize_action( 321 1.1 elad secmodel_overlay_iscope_machdep, cred, action, 322 1.1 elad arg0, arg1, arg2, arg3); 323 1.1 elad } 324 1.1 elad 325 1.1 elad return (result); 326 1.1 elad } 327 1.4 elad 328 1.4 elad /* 329 1.4 elad * Overlay listener for the device scope. 330 1.4 elad */ 331 1.4 elad int 332 1.4 elad secmodel_overlay_device_cb(kauth_cred_t cred, kauth_action_t action, 333 1.4 elad void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 334 1.4 elad { 335 1.4 elad int result; 336 1.4 elad 337 1.4 elad result = KAUTH_RESULT_DEFER; 338 1.4 elad 339 1.4 elad switch (action) { 340 1.4 elad default: 341 1.4 elad result = KAUTH_RESULT_DEFER; 342 1.4 elad break; 343 1.4 elad } 344 1.4 elad 345 1.4 elad if (result == KAUTH_RESULT_DEFER) { 346 1.4 elad result = kauth_authorize_action( 347 1.4 elad secmodel_overlay_iscope_device, cred, action, 348 1.4 elad arg0, arg1, arg2, arg3); 349 1.4 elad } 350 1.4 elad 351 1.4 elad return (result); 352 1.4 elad } 353
Indexes created Tue Oct 21 12:09:54 GMT 2025