CVS commit: src/sys

Fri, 02 Oct 2009 19:01:37 -0700 

Module Name:    src
Committed By:   elad
Date:           Sat Oct  3 02:01:12 UTC 2009

Modified Files:
        src/sys/dev: clockctl.c
        src/sys/secmodel/suser: secmodel_suser.c

Log Message:
Move clockctl policy exception back to the subsystem.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 src/sys/dev/clockctl.c
cvs rdiff -u -r1.21 -r1.22 src/sys/secmodel/suser/secmodel_suser.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/clockctl.c
diff -u src/sys/dev/clockctl.c:1.27 src/sys/dev/clockctl.c:1.28
--- src/sys/dev/clockctl.c:1.27	Sun Feb 22 13:06:59 2009
+++ src/sys/dev/clockctl.c	Sat Oct  3 02:01:12 2009
@@ -1,4 +1,4 @@
-/*      $NetBSD: clockctl.c,v 1.27 2009/02/22 13:06:59 nakayama Exp $ */
+/*      $NetBSD: clockctl.c,v 1.28 2009/10/03 02:01:12 elad Exp $ */
 
 /*-
  * Copyright (c) 2001 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: clockctl.c,v 1.27 2009/02/22 13:06:59 nakayama Exp $");
+__KERNEL_RCSID(0, "$NetBSD: clockctl.c,v 1.28 2009/10/03 02:01:12 elad Exp $");
 
 #include "opt_ntp.h"
 #include "opt_compat_netbsd.h"
@@ -47,6 +47,7 @@
 #ifdef NTP
 #include <sys/timex.h>
 #endif /* NTP */
+#include <sys/kauth.h>
 
 #include <sys/clockctl.h>
 #ifdef COMPAT_50
@@ -64,12 +65,39 @@
 	nostop, notty, nopoll, nommap, nokqfilter, D_OTHER,
 };
 
+static kauth_listener_t clockctl_listener;
+
+static int
+clockctl_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+	int result;
+	enum kauth_system_req req;
+	bool device_context;
+
+	result = KAUTH_RESULT_DEFER;
+	req = (enum kauth_system_req)arg0;
+
+	if ((action != KAUTH_SYSTEM_TIME) ||
+	    (req != KAUTH_REQ_SYSTEM_TIME_SYSTEM))
+		return result;
+
+	device_context = (bool)arg3;
+
+	/* Device is controlled by permissions, so allow. */
+	if (device_context)
+		result = KAUTH_RESULT_ALLOW;
+
+	return result;
+}
+
 /*ARGSUSED*/
 void
 clockctlattach(int num)
 {
-	/* Nothing to set up before open is called */
-	return;
+
+	clockctl_listener = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
+	    clockctl_listener_cb, NULL);
 }
 
 int

Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.21 src/sys/secmodel/suser/secmodel_suser.c:1.22
--- src/sys/secmodel/suser/secmodel_suser.c:1.21	Sat Oct  3 01:52:14 2009
+++ src/sys/secmodel/suser/secmodel_suser.c	Sat Oct  3 02:01:12 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.22 2009/10/03 02:01:12 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <[email protected]>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.21 2009/10/03 01:52:14 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.22 2009/10/03 02:01:12 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -410,19 +410,7 @@
 		case KAUTH_REQ_SYSTEM_TIME_ADJTIME:
 		case KAUTH_REQ_SYSTEM_TIME_NTPADJTIME:
 		case KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS:
-			if (isroot)
-				result = KAUTH_RESULT_ALLOW;
-			break;
-
-		case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {
-			bool device_context = (bool)arg3;
-
-			if (device_context || isroot)
-				result = KAUTH_RESULT_ALLOW;
-
-			break;
-		}
-
+		case KAUTH_REQ_SYSTEM_TIME_SYSTEM:
 		case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
 			if (isroot)
 				result = KAUTH_RESULT_ALLOW;

Reply via email to