Module Name: src
Committed By: elad
Date: Fri Oct 2 21:56:29 UTC 2009
Modified Files:
src/sys/kern: sys_pset.c
src/sys/secmodel/suser: secmodel_suser.c
Log Message:
Move psets security policy back to the subsystem and keep suser logic only
in the suser secmodel code.
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/kern/sys_pset.c
cvs rdiff -u -r1.2 -r1.3 src/sys/secmodel/suser/secmodel_suser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/sys_pset.c
diff -u src/sys/kern/sys_pset.c:1.12 src/sys/kern/sys_pset.c:1.13
--- src/sys/kern/sys_pset.c:1.12 Tue Mar 3 21:55:06 2009
+++ src/sys/kern/sys_pset.c Fri Oct 2 21:56:28 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: sys_pset.c,v 1.12 2009/03/03 21:55:06 rmind Exp $ */
+/* $NetBSD: sys_pset.c,v 1.13 2009/10/02 21:56:28 elad Exp $ */
/*
* Copyright (c) 2008, Mindaugas Rasiukevicius <rmind at NetBSD org>
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_pset.c,v 1.12 2009/03/03 21:55:06 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_pset.c,v 1.13 2009/10/02 21:56:28 elad Exp $");
#include <sys/param.h>
@@ -56,12 +56,37 @@
static pset_info_t ** psets;
static u_int psets_max;
static u_int psets_count;
+static kauth_listener_t psets_listener;
static int psets_realloc(int);
static int psid_validate(psetid_t, bool);
static int kern_pset_create(psetid_t *);
static int kern_pset_destroy(psetid_t);
+static int
+psets_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ psetid_t id;
+ enum kauth_system_req req;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+ req = (enum kauth_system_req)arg0;
+ id = (psetid_t)(unsigned long)arg1;
+
+ if (action != KAUTH_SYSTEM_PSET)
+ return result;
+
+ if ((req == KAUTH_REQ_SYSTEM_PSET_ASSIGN) ||
+ (req == KAUTH_REQ_SYSTEM_PSET_BIND)) {
+ if (id == PS_QUERY)
+ result = KAUTH_RESULT_ALLOW;
+ }
+
+ return result;
+}
+
/*
* Initialization of the processor-sets.
*/
@@ -72,6 +97,9 @@
psets_max = max(MAXCPUS, 32);
psets = kmem_zalloc(psets_max * sizeof(void *), KM_SLEEP);
psets_count = 0;
+
+ psets_listener = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
+ psets_listener_cb, NULL);
}
/*
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.2 src/sys/secmodel/suser/secmodel_suser.c:1.3
--- src/sys/secmodel/suser/secmodel_suser.c:1.2 Fri Oct 2 21:47:35 2009
+++ src/sys/secmodel/suser/secmodel_suser.c Fri Oct 2 21:56:28 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.3 2009/10/02 21:56:28 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <[email protected]>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.3 2009/10/02 21:56:28 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -398,19 +398,10 @@
break;
- case KAUTH_SYSTEM_PSET: {
- psetid_t id;
-
- id = (psetid_t)(unsigned long)arg1;
-
+ case KAUTH_SYSTEM_PSET:
switch (req) {
case KAUTH_REQ_SYSTEM_PSET_ASSIGN:
case KAUTH_REQ_SYSTEM_PSET_BIND:
- if (isroot || id == PS_QUERY)
- result = KAUTH_RESULT_ALLOW;
-
- break;
-
case KAUTH_REQ_SYSTEM_PSET_CREATE:
case KAUTH_REQ_SYSTEM_PSET_DESTROY:
if (isroot)
@@ -423,7 +414,6 @@
}
break;
- }
case KAUTH_SYSTEM_TIME:
switch (req) {
