After I introduced two new privileges as suggested on the list (see attachment with new priv_defs file for semantic), I started to dig into the network kernel code to discover where to test these privileges (new secpolicy functions are in progress).
The privileges have to be probed before a connect, a listen, a bind, an accept or a send*/recv* for unconnected UDP is made. Basically, I figured out three potential places where to place new privilege tests: 1. At system call entry level (socksyscalls.c): I am not sure whether a user may circumvent the check if he e. g. uses putmsg and a bind request 2. At vnode-socketops level (socktpi.c and socksctp.c): By the way: Is the sctp-implementation compatible with the TPI-model (e. g. its connect function is directly called and not realized in a STREAM module that receives T_CONN_REQ, isn't it?) May checks at socketops level be circumvented by a user if SS_DIRECT is set? 3. At TPI module/driver level (tcp.c, udp.c, tl.c (seems as if Unix Domain socket functionality is implemented here) and in sctp_bind.c, sctp_output.c and various other files I would prefer chosing possibility 1 or 2 but looking for other privilege checks like PRIV_NET_PRIVADDR, I realized that these tests use possibility 3. Perhaps even a mixed approach should be applied. While looking through the code, I found some pieces about NetaTalk and NCA. Are these protocols relevant for my job? Is there a figure or something that describes what PTI modules/drivers/stream head are used when a communication via TCP/UDP/SCTP takes place? At the moment, I am a little bit confused about the terms PTI, TLI, XTI, stream head, sockfs, vnodes and devpaths, I do not exactly know how many possibilities there are to do the same thing but using another system call or way through the various layers. First I thought that everything goes over traditional Unix system calls (like connect, bind, ...), then over routines in socksubr.c to a vnode (defined either in socktpi.c or socksctp.c) and then over TPI messages to the concrete transport protocol. sctp seems not to use PTI when it calls its connect function. Furthermore, I learned from the code that one could use putmsg instead of connect to connect a socket (I have no idea how this should work with sctp). Then I discovered the possibility to use t_open and /dev/tcp and a file named /etc/netconfig and things like SS_DIRECT. For what purpose /dev/ip, /dev/tcp, ... are actually needed? How this relates to sockfs? Things get harder for me when examining how data is received or sent. I understand how read and writes are transferred to socket ops (sockvnops.c and socksctpvnops.c) but they use different approaches and different pathes through the layers. First I thought, this would be done with T_DATA_REQ messages but this seems to be only one possibility (e. g. strwrite and direct calls seems to be another). Perhaps these details are not relevant for my job, at the moment, I am not sure in what detail I have to understand the networking code. To sum it up: I am looking for the earliest places, I can intercept requests in order to probe the required privileges where there is no possibility to circumvent the place where the tests are located. The deeper these places are, the harder it is to catch all valid pathes and to react to future changes. I have no further experience in the Solaris kernel, so please forgive me if answers to my questions are too obvious. If there is any freely available documentation about the network part in the kernel, I should read, please tell me (at the moment, I only had a look into the STREAMS Programming Guide). Thanks in advance Johannes
priv_defs
Description: priv_defs
_______________________________________________ networking-discuss mailing list [email protected]
