Module Name: src Committed By: plunky Date: Mon Aug 10 20:22:06 UTC 2009
Modified Files: src/share/man/man9: kauth.9 src/sys/netbt: hci_socket.c src/sys/secmodel/bsd44: secmodel_bsd44_suser.c src/sys/sys: kauth.h Log Message: reduce the number of KAUTH_DEVICE_BLUETOOTH_SEND/RECV requests by passing the packet type as an argument rather than having a different request for each type. (from a suggestion by mrg) To generate a diff of this commit: cvs rdiff -u -r1.86 -r1.87 src/share/man/man9/kauth.9 cvs rdiff -u -r1.18 -r1.19 src/sys/netbt/hci_socket.c cvs rdiff -u -r1.69 -r1.70 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c cvs rdiff -u -r1.61 -r1.62 src/sys/sys/kauth.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/share/man/man9/kauth.9 diff -u src/share/man/man9/kauth.9:1.86 src/share/man/man9/kauth.9:1.87 --- src/share/man/man9/kauth.9:1.86 Mon Aug 10 18:25:20 2009 +++ src/share/man/man9/kauth.9 Mon Aug 10 20:22:06 2009 @@ -1,4 +1,4 @@ -.\" $NetBSD: kauth.9,v 1.86 2009/08/10 18:25:20 plunky Exp $ +.\" $NetBSD: kauth.9,v 1.87 2009/08/10 20:22:06 plunky Exp $ .\" .\" Copyright (c) 2005, 2006 Elad Efrat <e...@netbsd.org> .\" All rights reserved. @@ -978,23 +978,28 @@ .Xr btuart 4 device is allowed. .El -.It KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND -Check if a command packet can be received from the device. -.Pp -.Ar arg0 -is the command opcode. -.It KAUTH_DEVICE_BLUETOOTH_RECV_DATA -Check if a data packet can be received from the device. +.It KAUTH_DEVICE_BLUETOOTH_RECV +Check if a packet can be received from the device. .Pp .Ar arg0 is the packet type. -.It KAUTH_DEVICE_BLUETOOTH_RECV_EVENT -Check if a event packet can be received from the device. -.Pp -.Ar arg0 -is the event ID. -.It KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND -Check if a command packet can be sent to the device. +For +.Dv HCI_CMD_PKT +packets, +.Ar arg1 +is the opcode, for +.Dv HCI_EVENT_PKT +packets, +.Ar arg1 +is the event ID, and for +.Dv HCI_ACLDATA_PKT +or +.Dv HCI_SCODATA_PKT +packets, +.Ar arg1 +is the connection handle. +.It KAUTH_DEVICE_BLUETOOTH_SEND +Check if a packet can be sent to the device. .Pp .Ar arg0 is a @@ -1003,7 +1008,7 @@ .Ar arg1 is a .Ft hci_cmd_hdr_t * -describing the command packet header. +describing the packet header. .It KAUTH_DEVICE_BLUETOOTH_SETPRIV Check if privileged settings can be changed. .Pp Index: src/sys/netbt/hci_socket.c diff -u src/sys/netbt/hci_socket.c:1.18 src/sys/netbt/hci_socket.c:1.19 --- src/sys/netbt/hci_socket.c:1.18 Mon Aug 10 18:25:20 2009 +++ src/sys/netbt/hci_socket.c Mon Aug 10 20:22:06 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: hci_socket.c,v 1.18 2009/08/10 18:25:20 plunky Exp $ */ +/* $NetBSD: hci_socket.c,v 1.19 2009/08/10 20:22:06 plunky Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.18 2009/08/10 18:25:20 plunky Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.19 2009/08/10 20:22:06 plunky Exp $"); /* load symbolic names */ #ifdef BLUETOOTH_DEBUG @@ -208,7 +208,7 @@ result = KAUTH_RESULT_DEFER; switch (action) { - case KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND: { + case KAUTH_DEVICE_BLUETOOTH_SEND: { struct hci_unit *unit = (struct hci_unit *)arg0; hci_cmd_hdr_t *hdr = (hci_cmd_hdr_t *)arg1; @@ -217,6 +217,9 @@ * is correct and the unit claims to support it */ + if (hdr->type != HCI_CMD_PKT) + break; + for (i = 0; i < __arraycount(hci_cmds); i++) { if (hdr->opcode == hci_cmds[i].opcode && hdr->length == hci_cmds[i].length @@ -229,51 +232,62 @@ break; } - case KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND: { - uint16_t opcode = (uint16_t)(uintptr_t)arg0; + case KAUTH_DEVICE_BLUETOOTH_RECV: + switch((uint8_t)(uintptr_t)arg0) { + case HCI_CMD_PKT: { + uint16_t opcode = (uint16_t)(uintptr_t)arg1; + + /* + * Allow to see any unprivileged command packet + */ + + for (i = 0; i < __arraycount(hci_cmds); i++) { + if (opcode == hci_cmds[i].opcode) { + result = KAUTH_RESULT_ALLOW; + break; + } + } - /* - * Allow to see any unprivileged command packet - */ + break; + } - for (i = 0; i < __arraycount(hci_cmds); i++) { - if (opcode == hci_cmds[i].opcode) { + case HCI_EVENT_PKT: { + uint8_t event = (uint8_t)(uintptr_t)arg1; + + /* + * Allow to receive most events + */ + + switch (event) { + case HCI_EVENT_RETURN_LINK_KEYS: + case HCI_EVENT_LINK_KEY_NOTIFICATION: + case HCI_EVENT_USER_CONFIRM_REQ: + case HCI_EVENT_USER_PASSKEY_NOTIFICATION: + case HCI_EVENT_VENDOR: + break; + + default: result = KAUTH_RESULT_ALLOW; break; } - } - - break; - } - case KAUTH_DEVICE_BLUETOOTH_RECV_EVENT: { - uint8_t event = (uint8_t)(uintptr_t)arg0; - - /* - * Allow to receive most events - */ + break; + } - switch (event) { - case HCI_EVENT_RETURN_LINK_KEYS: - case HCI_EVENT_LINK_KEY_NOTIFICATION: - case HCI_EVENT_USER_CONFIRM_REQ: - case HCI_EVENT_USER_PASSKEY_NOTIFICATION: - case HCI_EVENT_VENDOR: + case HCI_ACL_DATA_PKT: + case HCI_SCO_DATA_PKT: { + /* uint16_t handle = (uint16_t)(uintptr_t)arg1; */ + /* + * don't normally allow receiving data packets + */ break; + } default: - result = KAUTH_RESULT_ALLOW; break; } break; - } - - case KAUTH_DEVICE_BLUETOOTH_RECV_DATA: /* arg0 == type */ - /* - * don't normally allow receiving data packets - */ - break; default: break; @@ -378,7 +392,7 @@ /* security checks for unprivileged users */ if (pcb->hp_cred != NULL && kauth_authorize_device(pcb->hp_cred, - KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND, + KAUTH_DEVICE_BLUETOOTH_SEND, unit, &hdr, NULL, NULL) != 0) { err = EPERM; goto bad; @@ -729,7 +743,7 @@ struct sockaddr_bt sa; uint8_t type; uint8_t event; - uint16_t opcode; + uint16_t arg1; KASSERT(m->m_len >= sizeof(type)); @@ -766,39 +780,37 @@ if (hci_filter_test(event, &pcb->hp_efilter) == 0) continue; - if (pcb->hp_cred != NULL - && kauth_authorize_device(pcb->hp_cred, - KAUTH_DEVICE_BLUETOOTH_RECV_EVENT, - KAUTH_ARG(event), NULL, NULL, NULL) != 0) - continue; - + arg1 = event; break; case HCI_CMD_PKT: KASSERT(m->m_len >= sizeof(hci_cmd_hdr_t)); - - opcode = le16toh(mtod(m, hci_cmd_hdr_t *)->opcode); - - if (pcb->hp_cred != NULL - && kauth_authorize_device(pcb->hp_cred, - KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND, - KAUTH_ARG(opcode), NULL, NULL, NULL) != 0) - continue; - + arg1 = le16toh(mtod(m, hci_cmd_hdr_t *)->opcode); break; case HCI_ACL_DATA_PKT: + KASSERT(m->m_len >= sizeof(hci_acldata_hdr_t)); + arg1 = le16toh(mtod(m, hci_acldata_hdr_t *)->con_handle); + arg1 = HCI_CON_HANDLE(arg1); + break; + case HCI_SCO_DATA_PKT: - default: - if (pcb->hp_cred != NULL - && kauth_authorize_device(pcb->hp_cred, - KAUTH_DEVICE_BLUETOOTH_RECV_DATA, - KAUTH_ARG(type), NULL, NULL, NULL) != 0) - continue; + KASSERT(m->m_len >= sizeof(hci_scodata_hdr_t)); + arg1 = le16toh(mtod(m, hci_scodata_hdr_t *)->con_handle); + arg1 = HCI_CON_HANDLE(arg1); + break; + default: + arg1 = 0; break; } + if (pcb->hp_cred != NULL + && kauth_authorize_device(pcb->hp_cred, + KAUTH_DEVICE_BLUETOOTH_RECV, + KAUTH_ARG(type), KAUTH_ARG(arg1), NULL, NULL) != 0) + continue; + /* * create control messages */ Index: src/sys/secmodel/bsd44/secmodel_bsd44_suser.c diff -u src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.69 src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.70 --- src/sys/secmodel/bsd44/secmodel_bsd44_suser.c:1.69 Mon Aug 10 18:25:20 2009 +++ src/sys/secmodel/bsd44/secmodel_bsd44_suser.c Mon Aug 10 20:22:06 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: secmodel_bsd44_suser.c,v 1.69 2009/08/10 18:25:20 plunky Exp $ */ +/* $NetBSD: secmodel_bsd44_suser.c,v 1.70 2009/08/10 20:22:06 plunky Exp $ */ /*- * Copyright (c) 2006 Elad Efrat <e...@netbsd.org> * All rights reserved. @@ -38,7 +38,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.69 2009/08/10 18:25:20 plunky Exp $"); +__KERNEL_RCSID(0, "$NetBSD: secmodel_bsd44_suser.c,v 1.70 2009/08/10 20:22:06 plunky Exp $"); #include <sys/types.h> #include <sys/param.h> @@ -1084,10 +1084,8 @@ switch (action) { case KAUTH_DEVICE_BLUETOOTH_SETPRIV: - case KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND: - case KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND: - case KAUTH_DEVICE_BLUETOOTH_RECV_EVENT: - case KAUTH_DEVICE_BLUETOOTH_RECV_DATA: + case KAUTH_DEVICE_BLUETOOTH_SEND: + case KAUTH_DEVICE_BLUETOOTH_RECV: if (isroot) result = KAUTH_RESULT_ALLOW; break; Index: src/sys/sys/kauth.h diff -u src/sys/sys/kauth.h:1.61 src/sys/sys/kauth.h:1.62 --- src/sys/sys/kauth.h:1.61 Mon Aug 10 18:25:20 2009 +++ src/sys/sys/kauth.h Mon Aug 10 20:22:06 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: kauth.h,v 1.61 2009/08/10 18:25:20 plunky Exp $ */ +/* $NetBSD: kauth.h,v 1.62 2009/08/10 20:22:06 plunky Exp $ */ /*- * Copyright (c) 2005, 2006 Elad Efrat <e...@netbsd.org> @@ -259,10 +259,8 @@ KAUTH_DEVICE_BLUETOOTH_BCSP, KAUTH_DEVICE_BLUETOOTH_BTUART, KAUTH_DEVICE_GPIO_PINSET, - KAUTH_DEVICE_BLUETOOTH_SEND_COMMAND, - KAUTH_DEVICE_BLUETOOTH_RECV_COMMAND, - KAUTH_DEVICE_BLUETOOTH_RECV_EVENT, - KAUTH_DEVICE_BLUETOOTH_RECV_DATA + KAUTH_DEVICE_BLUETOOTH_SEND, + KAUTH_DEVICE_BLUETOOTH_RECV }; /*