CVS commit: src

Mon, 10 Aug 2009 13:22:23 -0700 

Module Name:    src
Committed By:   plunky
Date:           Mon Aug 10 20:22:06 UTC 2009

Modified Files:
        src/share/man/man9: kauth.9
        src/sys/netbt: hci_socket.c
        src/sys/secmodel/bsd44: secmodel_bsd44_suser.c
        src/sys/sys: kauth.h

Log Message:
reduce the number of KAUTH_DEVICE_BLUETOOTH_SEND/RECV requests
by passing the packet type as an argument rather than having
a different request for each type.

(from a suggestion by mrg)


To generate a diff of this commit:
cvs rdiff -u -r1.86 -r1.87 src/share/man/man9/kauth.9
cvs rdiff -u -r1.18 -r1.19 src/sys/netbt/hci_socket.c
cvs rdiff -u -r1.69 -r1.70 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
cvs rdiff -u -r1.61 -r1.62 src/sys/sys/kauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/man/man9/kauth.9
diff -u src/share/man/man9/kauth.9:1.86 src/share/man/man9/kauth.9:1.87
--- src/share/man/man9/kauth.9:1.86	Mon Aug 10 18:25:20 2009
+++ src/share/man/man9/kauth.9	Mon Aug 10 20:22:06 2009
@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.86 2009/08/10 18:25:20 plunky Exp $
+.\" $NetBSD: kauth.9,v 1.87 2009/08/10 20:22:06 plunky Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <[email protected]>
 .\" All rights reserved.
@@ -978,23 +978,28 @@
 .Xr btuart 4
 device is allowed.
 .El
-.It KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND
-Check if a command packet can be received from the device.
-.Pp
-.Ar arg0
-is the command opcode.
-.It KAUTH_DEVICE_BLUETOOTH_RECV_DATA
-Check if a data packet can be received from the device.
+.It KAUTH_DEVICE_BLUETOOTH_RECV
+Check if a packet can be received from the device.
 .Pp
 .Ar arg0
 is the packet type.
-.It KAUTH_DEVICE_BLUETOOTH_RECV_EVENT
-Check if a event packet can be received from the device.
-.Pp
-.Ar arg0
-is the event ID.
-.It KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND
-Check if a command packet can be sent to the device.
+For
+.Dv HCI_CMD_PKT
+packets,
+.Ar arg1
+is the opcode, for
+.Dv HCI_EVENT_PKT
+packets,
+.Ar arg1
+is the event ID, and for
+.Dv HCI_ACLDATA_PKT
+or
+.Dv HCI_SCODATA_PKT
+packets,
+.Ar arg1
+is the connection handle.
+.It KAUTH_DEVICE_BLUETOOTH_SEND
+Check if a packet can be sent to the device.
 .Pp
 .Ar arg0
 is a
@@ -1003,7 +1008,7 @@
 .Ar arg1
 is a
 .Ft hci_cmd_hdr_t *
-describing the command packet header.
+describing the packet header.
 .It KAUTH_DEVICE_BLUETOOTH_SETPRIV
 Check if privileged settings can be changed.
 .Pp

Index: src/sys/netbt/hci_socket.c
diff -u src/sys/netbt/hci_socket.c:1.18 src/sys/netbt/hci_socket.c:1.19
--- src/sys/netbt/hci_socket.c:1.18	Mon Aug 10 18:25:20 2009
+++ src/sys/netbt/hci_socket.c	Mon Aug 10 20:22:06 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: hci_socket.c,v 1.18 2009/08/10 18:25:20 plunky Exp $	*/
+/*	$NetBSD: hci_socket.c,v 1.19 2009/08/10 20:22:06 plunky Exp $	*/
 
 /*-
  * Copyright (c) 2005 Iain Hibbert.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.18 2009/08/10 18:25:20 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.19 2009/08/10 20:22:06 plunky Exp $");
 
 /* load symbolic names */
 #ifdef BLUETOOTH_DEBUG
@@ -208,7 +208,7 @@
 	result = KAUTH_RESULT_DEFER;
 
 	switch (action) {
-	case KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND: {
+	case KAUTH_DEVICE_BLUETOOTH_SEND: {
 		struct hci_unit *unit = (struct hci_unit *)arg0;
 		hci_cmd_hdr_t *hdr = (hci_cmd_hdr_t *)arg1;
 
@@ -217,6 +217,9 @@
 		 * is correct and the unit claims to support it
 		 */
 
+		if (hdr->type != HCI_CMD_PKT)
+			break;
+
 		for (i = 0; i < __arraycount(hci_cmds); i++) {
 			if (hdr->opcode == hci_cmds[i].opcode
 			    && hdr->length == hci_cmds[i].length
@@ -229,51 +232,62 @@
 		break;
 		}
 
-	case KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND: {
-		uint16_t opcode = (uint16_t)(uintptr_t)arg0;
+	case KAUTH_DEVICE_BLUETOOTH_RECV:
+		switch((uint8_t)(uintptr_t)arg0) {
+		case HCI_CMD_PKT: {
+			uint16_t opcode = (uint16_t)(uintptr_t)arg1;
+
+			/*
+			 * Allow to see any unprivileged command packet
+			 */
+
+			for (i = 0; i < __arraycount(hci_cmds); i++) {
+				if (opcode == hci_cmds[i].opcode) {
+					result = KAUTH_RESULT_ALLOW;
+					break;
+				}
+			}
 
-		/*
-		 * Allow to see any unprivileged command packet
-		 */
+			break;
+			}
 
-		for (i = 0; i < __arraycount(hci_cmds); i++) {
-			if (opcode == hci_cmds[i].opcode) {
+		case HCI_EVENT_PKT: {
+			uint8_t event = (uint8_t)(uintptr_t)arg1;
+
+			/*
+			 * Allow to receive most events
+			 */
+
+			switch (event) {
+			case HCI_EVENT_RETURN_LINK_KEYS:
+			case HCI_EVENT_LINK_KEY_NOTIFICATION:
+			case HCI_EVENT_USER_CONFIRM_REQ:
+			case HCI_EVENT_USER_PASSKEY_NOTIFICATION:
+			case HCI_EVENT_VENDOR:
+				break;
+
+			default:
 				result = KAUTH_RESULT_ALLOW;
 				break;
 			}
-		}
-
-		break;
-		}
 
-	case KAUTH_DEVICE_BLUETOOTH_RECV_EVENT: {
-		uint8_t event = (uint8_t)(uintptr_t)arg0;
-
-		/*
-		 * Allow to receive most events
-		 */
+		    	break;
+			}
 
-		switch (event) {
-		case HCI_EVENT_RETURN_LINK_KEYS:
-		case HCI_EVENT_LINK_KEY_NOTIFICATION:
-		case HCI_EVENT_USER_CONFIRM_REQ:
-		case HCI_EVENT_USER_PASSKEY_NOTIFICATION:
-		case HCI_EVENT_VENDOR:
+		case HCI_ACL_DATA_PKT:
+		case HCI_SCO_DATA_PKT: {
+			/* uint16_t handle = (uint16_t)(uintptr_t)arg1; */
+			/*
+			 * don't normally allow receiving data packets
+			 */
 			break;
+			}
 
 		default:
-			result = KAUTH_RESULT_ALLOW;
 			break;
 		}
 
 		break;
-		}
-
-	case KAUTH_DEVICE_BLUETOOTH_RECV_DATA:	/* arg0 == type */
-		/*
-		 * don't normally allow receiving data packets
-		 */
-		break;
 
 	default:
 		break;
@@ -378,7 +392,7 @@
 	/* security checks for unprivileged users */
 	if (pcb->hp_cred != NULL
 	    && kauth_authorize_device(pcb->hp_cred,
-	    KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND,
+	    KAUTH_DEVICE_BLUETOOTH_SEND,
 	    unit, &hdr, NULL, NULL) != 0) {
 		err = EPERM;
 		goto bad;
@@ -729,7 +743,7 @@
 	struct sockaddr_bt sa;
 	uint8_t type;
 	uint8_t event;
-	uint16_t opcode;
+	uint16_t arg1;
 
 	KASSERT(m->m_len >= sizeof(type));
 
@@ -766,39 +780,37 @@
 			if (hci_filter_test(event, &pcb->hp_efilter) == 0)
 				continue;
 
-			if (pcb->hp_cred != NULL
-			    && kauth_authorize_device(pcb->hp_cred,
-			    KAUTH_DEVICE_BLUETOOTH_RECV_EVENT,
-			    KAUTH_ARG(event), NULL, NULL, NULL) != 0)
-				continue;
-
+			arg1 = event;
 			break;
 
 		case HCI_CMD_PKT:
 			KASSERT(m->m_len >= sizeof(hci_cmd_hdr_t));
-
-			opcode = le16toh(mtod(m, hci_cmd_hdr_t *)->opcode);
-
-			if (pcb->hp_cred != NULL
-			    && kauth_authorize_device(pcb->hp_cred,
-			    KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND,
-			    KAUTH_ARG(opcode), NULL, NULL, NULL) != 0)
-				continue;
-
+			arg1 = le16toh(mtod(m, hci_cmd_hdr_t *)->opcode);
 			break;
 
 		case HCI_ACL_DATA_PKT:
+			KASSERT(m->m_len >= sizeof(hci_acldata_hdr_t));
+			arg1 = le16toh(mtod(m, hci_acldata_hdr_t *)->con_handle);
+			arg1 = HCI_CON_HANDLE(arg1);
+			break;
+
 		case HCI_SCO_DATA_PKT:
-		default:
-			if (pcb->hp_cred != NULL
-			    && kauth_authorize_device(pcb->hp_cred,
-			    KAUTH_DEVICE_BLUETOOTH_RECV_DATA,
-			    KAUTH_ARG(type), NULL, NULL, NULL) != 0)
-				continue;
+			KASSERT(m->m_len >= sizeof(hci_scodata_hdr_t));
+			arg1 = le16toh(mtod(m, hci_scodata_hdr_t *)->con_handle);
+			arg1 = HCI_CON_HANDLE(arg1);
+			break;
 
+		default:
+			arg1 = 0;
 			break;
 		}
 
+		if (pcb->hp_cred != NULL
+		    && kauth_authorize_device(pcb->hp_cred,
+		    KAUTH_DEVICE_BLUETOOTH_RECV,
+		    KAUTH_ARG(type), KAUTH_ARG(arg1), NULL, NULL) != 0)
+			continue;
+
 		/*
 		 * create control messages
 		 */

Index: src/sys/secmodel/bsd44/secmodel_bsd44_suser.c
diff -u src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.69 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.70
--- src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.69	Mon Aug 10 18:25:20 2009
+++ src/sys/secmodel/bsd44/secmodel_bsd44_suser.c	Mon Aug 10 20:22:06 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_bsd44_suser.c,v 1.69 2009/08/10 18:25:20 plunky Exp $ */
+/* $NetBSD: secmodel_bsd44_suser.c,v 1.70 2009/08/10 20:22:06 plunky Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <[email protected]>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.69 2009/08/10 18:25:20 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.70 2009/08/10 20:22:06 plunky Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -1084,10 +1084,8 @@
 
 	switch (action) {
 	case KAUTH_DEVICE_BLUETOOTH_SETPRIV:
-	case KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND:
-	case KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND:
-	case KAUTH_DEVICE_BLUETOOTH_RECV_EVENT:
-	case KAUTH_DEVICE_BLUETOOTH_RECV_DATA:
+	case KAUTH_DEVICE_BLUETOOTH_SEND:
+	case KAUTH_DEVICE_BLUETOOTH_RECV:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;

Index: src/sys/sys/kauth.h
diff -u src/sys/sys/kauth.h:1.61 src/sys/sys/kauth.h:1.62
--- src/sys/sys/kauth.h:1.61	Mon Aug 10 18:25:20 2009
+++ src/sys/sys/kauth.h	Mon Aug 10 20:22:06 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.61 2009/08/10 18:25:20 plunky Exp $ */
+/* $NetBSD: kauth.h,v 1.62 2009/08/10 20:22:06 plunky Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <[email protected]>  
@@ -259,10 +259,8 @@
 	KAUTH_DEVICE_BLUETOOTH_BCSP,
 	KAUTH_DEVICE_BLUETOOTH_BTUART,
 	KAUTH_DEVICE_GPIO_PINSET,
-	KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND,
-	KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND,
-	KAUTH_DEVICE_BLUETOOTH_RECV_EVENT,
-	KAUTH_DEVICE_BLUETOOTH_RECV_DATA
+	KAUTH_DEVICE_BLUETOOTH_SEND,
+	KAUTH_DEVICE_BLUETOOTH_RECV
 };
 
 /*

Reply via email to