CVS commit: src

Tue, 05 May 2009 14:03:35 -0700 

Module Name:    src
Committed By:   elad
Date:           Tue May  5 21:03:29 UTC 2009

Modified Files:
        src/share/man/man9: kauth.9
        src/sys/dev: rnd.c
        src/sys/secmodel/bsd44: secmodel_bsd44_suser.c
        src/sys/sys: kauth.h

Log Message:
Add device scope actions for rnd(4) and use them.

Mailing list reference:

        http://mail-index.netbsd.org/tech-kern/2009/04/27/msg004953.html


To generate a diff of this commit:
cvs rdiff -u -r1.78 -r1.79 src/share/man/man9/kauth.9
cvs rdiff -u -r1.71 -r1.72 src/sys/dev/rnd.c
cvs rdiff -u -r1.63 -r1.64 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
cvs rdiff -u -r1.55 -r1.56 src/sys/sys/kauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/man/man9/kauth.9
diff -u src/share/man/man9/kauth.9:1.78 src/share/man/man9/kauth.9:1.79
--- src/share/man/man9/kauth.9:1.78	Sun May  3 19:25:39 2009
+++ src/share/man/man9/kauth.9	Tue May  5 21:03:28 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.78 2009/05/03 19:25:39 wiz Exp $
+.\" $NetBSD: kauth.9,v 1.79 2009/05/05 21:03:28 elad Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <[email protected]>
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 3, 2009
+.Dd May 5, 2009
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -883,6 +883,20 @@
 .Ft u_long
 describing the command.
 .El
+.Pp
+.Sy Kernel random device
+Authorization actions relevant to the kernel random device,
+.Xr rnd 4 ,
+is done using the standard authorization wrapper, with the following actions:
+.Pp
+.Bl -tag -width compact
+.It KAUTH_DEVICE_RND_ADDDATA
+Check if adding data to the entropy pool is allowed.
+.It KAUTH_DEVICE_RND_GETPRIV
+Check if privileged settings and information can be retrieved.
+.It KAUTH_DEVICE_RND_SETPRIV
+Check if privileged settings can be changed.
+.El
 .Ss Credentials Scope
 The credentials scope,
 .Dq org.netbsd.kauth.cred ,

Index: src/sys/dev/rnd.c
diff -u src/sys/dev/rnd.c:1.71 src/sys/dev/rnd.c:1.72
--- src/sys/dev/rnd.c:1.71	Sat Aug 16 13:07:30 2008
+++ src/sys/dev/rnd.c	Tue May  5 21:03:29 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: rnd.c,v 1.71 2008/08/16 13:07:30 dan Exp $	*/
+/*	$NetBSD: rnd.c,v 1.72 2009/05/05 21:03:29 elad Exp $	*/
 
 /*-
  * Copyright (c) 1997 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rnd.c,v 1.71 2008/08/16 13:07:30 dan Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rnd.c,v 1.72 2009/05/05 21:03:29 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/ioctl.h>
@@ -496,16 +496,30 @@
 	case FIOASYNC:
 	case RNDGETENTCNT:
 		break;
+
 	case RNDGETPOOLSTAT:
 	case RNDGETSRCNUM:
 	case RNDGETSRCNAME:
+		ret = kauth_authorize_device(l->l_cred,
+		    KAUTH_DEVICE_RND_GETPRIV, NULL, NULL, NULL, NULL);
+		if (ret)
+			return (ret);
+		break;
+
 	case RNDCTL:
+		ret = kauth_authorize_device(l->l_cred,
+		    KAUTH_DEVICE_RND_SETPRIV, NULL, NULL, NULL, NULL);
+		if (ret)
+			return (ret);
+		break;
+
 	case RNDADDDATA:
-		ret = kauth_authorize_generic(l->l_cred, KAUTH_GENERIC_ISSUSER,
-		    NULL);
+		ret = kauth_authorize_device(l->l_cred,
+		    KAUTH_DEVICE_RND_ADDDATA, NULL, NULL, NULL, NULL);
 		if (ret)
 			return (ret);
 		break;
+
 	default:
 		return (EINVAL);
 	}

Index: src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
diff -u src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.63 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.64
--- src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.63	Sun May  3 17:21:13 2009
+++ src/sys/secmodel/bsd44/secmodel_bsd44_suser.c	Tue May  5 21:03:28 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44_suser.c,v 1.63 2009/05/03 17:21:13 elad Exp $ */
+/* $NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <[email protected]>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.63 2009/05/03 17:21:13 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.64 2009/05/05 21:03:28 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1051,6 +1051,13 @@
 
 		break;
 
+	case KAUTH_DEVICE_RND_ADDDATA:
+	case KAUTH_DEVICE_RND_GETPRIV:
+	case KAUTH_DEVICE_RND_SETPRIV:
+		if (isroot)
+			result = KAUTH_RESULT_ALLOW;
+		break;
+
 	default:
 		result = KAUTH_RESULT_DEFER;
 		break;

Index: src/sys/sys/kauth.h
diff -u src/sys/sys/kauth.h:1.55 src/sys/sys/kauth.h:1.56
--- src/sys/sys/kauth.h:1.55	Sun May  3 17:21:12 2009
+++ src/sys/sys/kauth.h	Tue May  5 21:03:28 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.55 2009/05/03 17:21:12 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.56 2009/05/05 21:03:28 elad Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <[email protected]>  
@@ -239,6 +239,9 @@
 	KAUTH_DEVICE_RAWIO_SPEC,
 	KAUTH_DEVICE_RAWIO_PASSTHRU,
 	KAUTH_DEVICE_BLUETOOTH_SETPRIV,
+	KAUTH_DEVICE_RND_ADDDATA,
+	KAUTH_DEVICE_RND_GETPRIV,
+	KAUTH_DEVICE_RND_SETPRIV,
 };
 
 /*

Reply via email to