I'm submitting this fast-track for myself, it times out on July 31st, 2008.
Fine-Grained Privileges for Datalink Administration 1. Summary This case proposes to break down the privilege model for datalink administration through dladm(1M) in order to allow unprivileged users access to a subset of administrative operations. The stability level of dladm and its subcommands is Committed, and the release binding for this case is Patch. No incompatible changes are being introduced. 2. Background The dladm(1M) command currently contains an explicit and global check for the sys_net_config and net_rawaccess privileges. If these privileges are not in the effective set at the time the command is run, the command exits with an error claiming "insufficient privileges". This check is unnecessary since the kernel contains privilege checks for the various operations that dladm performs (detailed below), but nevertheless, it's there and is relevant to this case. Most kernel state is accessed (through libdladm.so) by issuing Project-Private ioctls to three pseudo device nodes in /devices/pseudo/ (dld at 0:ctl, aggr at 0:ctl, and vnic at 0:ctl). These ioctls themselves do not have individual privilege requirements. Opening the dld and aggr control devices requires the sys_net_config privilege due to entries in /etc/security/device_policy, and the vnic control devices only allows root access by virtue of its device node's file permissions. WiFi-related kernel state is accessed by opening DLPI device nodes of interest in /dev/net and issuing ioctls. Opening DLPI nodes requires the net_rawaccess privilege, and WiFi drivers additionally require the sys_net_config privilege to issue WiFi ioctls. The result is that all dladm operations require the sys_net_config and net_rawaccess privileges. The vnic operations are currently private interfaces to xVM accessed through the project-private /usr/lib/vna command, and require the root user-id (all privileges). 3. Proposed Architectural Changes This case proposes a new sys_dl_config privilege that is a subset of the existing sys_net_config privilege. This privilege will be required to make modifications to datalink configuration, but will not be required to read datalink configuration. The /etc/security/exec_attr entries for the /sbin/dladm command will be modified to replace sys_net_config with sys_dl_config. With the exception of WiFi administration detailed in 3.1, no additional privileges will be required to interact with datalink configuration. The existing global privilege checks in the dladm command itself will be removed, as will the privilege checks for the aggr, vnic, and dld control devices currently in /etc/security/device_policy. Instead, all GLDv3 ioctls will go through a single /dev/dld control device which will require no privileges to open. The dld kernel module will perform a per-ioctl privilege check. The end result for users of dladm will be the following set of required privileges for each existing subcommand: show-link [none] rename-link sys_dl_config delete-phys sys_dl_config show-phys [none] show-dev [none] create-aggr sys_dl_config modify-aggr sys_dl_config delete-aggr sys_dl_config add-aggr sys_dl_config remove-aggr sys_dl_config show-aggr [none] create-vlan sys_dl_config delete-vlan sys_dl_config show-vlan [none] scan-wifi net_rawaccess, sys_dl_config * connect-wifi net_rawaccess, sys_dl_config * disconnect-wifi net_rawaccess, sys_dl_config * show-wifi net_rawaccess, sys_dl_config * set-linkprop sys_dl_config reset-linkprop sys_dl_config show-linkprop [none] create-secobj sys_dl_config, solaris.network.link.security delete-secobj sys_dl_config, solaris.network.link.security show-secobj sys_dl_config show-ether [none] * See section 3.1 ragarding WiFi subcommands. 3.1. WiFi Link Administration Breaking down the privileges required to administer WiFi links (using the WiFi-related dladm subcommands) is outside the scope of this case. The reason is simply that more work is needed to convert the driver ioctls issued through /dev/net to other operations that do not require the net_rawaccess privilege. That work will be done separately, and the architecture detailed in this case will make that work possible, but as a future case. This case does propose to relax the requirement for WiFi ioctls from sys_net_config to the new sys_dl_config privilege in order to be in-line with other GLDv3 datalink administration ioctls. The net_rawaccess privilege will still be required for WiFi operations, however, since libdladm.so still has to open /dev/net DLPI nodes in order to issue WiFi ioctls.
