[src/trunk]: src Improvements in secmodel(9). Document secmodel_register(9), ...

[jym <jym%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ab03972de7de
branches:  trunk
changeset: 771868:ab03972de7de
user:      jym <jym%NetBSD.org@localhost>
date:      Sun Dec 04 21:08:37 2011 +0000

description:
Improvements in secmodel(9). Document secmodel_register(9), _deregister(9)
and _eval(9).

Add secmodel_extensions(9), and indicate the new sysctl(7) to let
ordinary users control the CPU affinity (user_set_cpu_affinity).

diffstat:

 distrib/sets/lists/comp/mi            |   14 +-
 lib/libpthread/affinity.3             |   20 +-
 lib/librt/sched.3                     |   14 +-
 share/man/man9/Makefile               |   11 +-
 share/man/man9/secmodel.9             |  413 ++++++++++++++++++++++-----------
 share/man/man9/secmodel_bsd44.9       |   12 +-
 share/man/man9/secmodel_extensions.9  |  120 +++++++++
 share/man/man9/secmodel_securelevel.9 |   97 ++++++-
 share/man/man9/secmodel_suser.9       |   83 +++---
 9 files changed, 579 insertions(+), 205 deletions(-)

diffs (truncated from 1139 to 300 lines):

diff -r 9f6e6c0a0f5f -r ab03972de7de distrib/sets/lists/comp/mi
--- a/distrib/sets/lists/comp/mi        Sun Dec 04 21:04:51 2011 +0000
+++ b/distrib/sets/lists/comp/mi        Sun Dec 04 21:08:37 2011 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: mi,v 1.1715 2011/11/29 03:40:42 tls Exp $
+#      $NetBSD: mi,v 1.1716 2011/12/04 21:08:37 jym Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -10510,7 +10510,11 @@
 ./usr/share/man/cat9/scsipi.0                  comp-sys-catman         .cat
 ./usr/share/man/cat9/secmodel.0                        comp-sys-catman         .cat
 ./usr/share/man/cat9/secmodel_bsd44.0          comp-sys-catman         .cat
+./usr/share/man/cat9/secmodel_deregister.0     comp-sys-catman         .cat
+./usr/share/man/cat9/secmodel_eval.0           comp-sys-catman         .cat
+./usr/share/man/cat9/secmodel_extensions.0     comp-sys-catman         .cat
 ./usr/share/man/cat9/secmodel_overlay.0                comp-sys-catman         .cat
+./usr/share/man/cat9/secmodel_register.0       comp-sys-catman         .cat
 ./usr/share/man/cat9/secmodel_securelevel.0    comp-sys-catman         .cat
 ./usr/share/man/cat9/secmodel_suser.0          comp-sys-catman         .cat
 ./usr/share/man/cat9/seldestroy.0              comp-sys-catman         .cat
@@ -16612,7 +16616,11 @@
 ./usr/share/man/html9/scsipi.html              comp-sys-htmlman        html
 ./usr/share/man/html9/secmodel.html            comp-sys-htmlman        html
 ./usr/share/man/html9/secmodel_bsd44.html      comp-sys-htmlman        html
+./usr/share/man/html9/secmodel_deregister.html comp-sys-htmlman        html
+./usr/share/man/html9/secmodel_eval.html       comp-sys-htmlman        html
+./usr/share/man/html9/secmodel_extensions.html comp-sys-htmlman        html
 ./usr/share/man/html9/secmodel_overlay.html    comp-sys-htmlman        html
+./usr/share/man/html9/secmodel_register.html   comp-sys-htmlman        html
 ./usr/share/man/html9/secmodel_securelevel.html        comp-sys-htmlman        html
 ./usr/share/man/html9/secmodel_suser.html      comp-sys-htmlman        html
 ./usr/share/man/html9/seldestroy.html          comp-sys-htmlman        html
@@ -22909,7 +22917,11 @@
 ./usr/share/man/man9/scsipi.9                  comp-sys-man            .man
 ./usr/share/man/man9/secmodel.9                        comp-sys-man            .man
 ./usr/share/man/man9/secmodel_bsd44.9          comp-sys-man            .man
+./usr/share/man/man9/secmodel_deregister.9     comp-sys-man            .man
+./usr/share/man/man9/secmodel_eval.9           comp-sys-man            .man
+./usr/share/man/man9/secmodel_extensions.9     comp-sys-man            .man
 ./usr/share/man/man9/secmodel_overlay.9                comp-sys-man            .man
+./usr/share/man/man9/secmodel_register.9       comp-sys-man            .man
 ./usr/share/man/man9/secmodel_securelevel.9    comp-sys-man            .man
 ./usr/share/man/man9/secmodel_suser.9          comp-sys-man            .man
 ./usr/share/man/man9/seldestroy.9              comp-sys-man            .man
diff -r 9f6e6c0a0f5f -r ab03972de7de lib/libpthread/affinity.3
--- a/lib/libpthread/affinity.3 Sun Dec 04 21:04:51 2011 +0000
+++ b/lib/libpthread/affinity.3 Sun Dec 04 21:08:37 2011 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: affinity.3,v 1.6 2010/07/09 20:58:38 wiz Exp $
+.\"    $NetBSD: affinity.3,v 1.7 2011/12/04 21:08:44 jym Exp $
 .\"
 .\" Copyright (c) 2008 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 9, 2010
+.Dd December 4, 2011
 .Dt AFFINITY 3
 .Os
 .Sh NAME
@@ -65,6 +65,22 @@
 must be created and initialized using the
 .Xr cpuset 3
 functions.
+.Sh IMPLEMENTATION NOTES
+Setting CPU
+.Xr affinity 3
+requires super-user privileges.
+Ordinary users can be allowed to control CPU affinity
+of their threads via the
+.Pa security.models.extensions.user_set_cpu_affinity
+.Xr sysctl 7 .
+See
+.Xr secmodel_extensions 9 .
+.Pp
+Portable applications should not use the
+.Fn pthread_setaffinity_np
+and
+.Fn pthread_getaffinity_np
+functions.
 .Sh RETURN VALUES
 The
 .Fn pthread_setaffinity_np
diff -r 9f6e6c0a0f5f -r ab03972de7de lib/librt/sched.3
--- a/lib/librt/sched.3 Sun Dec 04 21:04:51 2011 +0000
+++ b/lib/librt/sched.3 Sun Dec 04 21:08:37 2011 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sched.3,v 1.10 2011/04/25 23:14:33 wiz Exp $
+.\"    $NetBSD: sched.3,v 1.11 2011/12/04 21:08:44 jym Exp $
 .\"
 .\" Copyright (c) 2008 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 6, 2010
+.Dd December 4, 2011
 .Dt SCHED 3
 .Os
 .Sh NAME
@@ -148,6 +148,16 @@
 .Fa cpuset .
 .El
 .Sh IMPLEMENTATION NOTES
+Setting CPU
+.Xr affinity 3
+requires super-user privileges.
+Ordinary users can be allowed to control CPU affinity
+of their threads via the
+.Pa security.models.extensions.user_set_cpu_affinity
+.Xr sysctl 7 .
+See
+.Xr secmodel_extensions 9 .
+.Pp
 Portable applications should not use the
 .Fn sched_setaffinity_np
 and
diff -r 9f6e6c0a0f5f -r ab03972de7de share/man/man9/Makefile
--- a/share/man/man9/Makefile   Sun Dec 04 21:04:51 2011 +0000
+++ b/share/man/man9/Makefile   Sun Dec 04 21:08:37 2011 +0000
@@ -1,4 +1,4 @@
-#       $NetBSD: Makefile,v 1.361 2011/11/29 03:40:41 tls Exp $
+#       $NetBSD: Makefile,v 1.362 2011/12/04 21:08:45 jym Exp $
 
 #      Makefile for section 9 (kernel function and variable) manual pages.
 
@@ -45,8 +45,9 @@
        rssadapt.9 rt_timer.9 rwlock.9 RUN_ONCE.9 STACK.9 \
        scanc.9 \
        sched_4bsd.9 sched_m2.9 scsipi.9 \
-       secmodel.9 secmodel_bsd44.9 secmodel_overlay.9 secmodel_securelevel.9 \
-       secmodel_suser.9 SET.9 setbit.9 setjmp.9 shutdownhook_establish.9 \
+       secmodel_bsd44.9 secmodel_extensions.9 \
+       secmodel_overlay.9 secmodel_securelevel.9 secmodel_suser.9 \
+       SET.9 setbit.9 setjmp.9 shutdownhook_establish.9 \
        signal.9 skpc.9 sockopt.9 softintr.9 spl.9 splraiseipl.9 \
        store.9 suspendsched.9 \
        sysctl.9 sysmon_envsys.9 sysmon_pswitch.9 sysmon_taskq.9 tc.9 \
@@ -691,6 +692,10 @@
        STACK.9 STACK_ALIGN.9 \
        STACK.9 STACK_GROW.9 \
        STACK.9 STACK_SHRINK.9
+MAN+=  secmodel.9
+MLINKS+=secmodel.9 secmodel_register.9 \
+       secmodel.9 secmodel_eval.9 \
+       secmodel.9 secmodel_deregister.9
 MAN+=  select.9
 MLINKS+=select.9 selinit.9 \
        select.9 seldestroy.9 \
diff -r 9f6e6c0a0f5f -r ab03972de7de share/man/man9/secmodel.9
--- a/share/man/man9/secmodel.9 Sun Dec 04 21:04:51 2011 +0000
+++ b/share/man/man9/secmodel.9 Sun Dec 04 21:08:37 2011 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel.9,v 1.17 2010/12/02 12:54:13 wiz Exp $
+.\" $NetBSD: secmodel.9,v 1.18 2011/12/04 21:08:45 jym Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd May 10, 2009
+.Dd December 4, 2011
 .Dt SECMODEL 9
 .Os
 .Sh NAME
@@ -33,141 +33,201 @@
 .Nd security model development guidelines
 .Sh SYNOPSIS
 .In secmodel/secmodel.h
+.Ft int
+.Fn secmodel_register "secmodel_t *sm" "const char *id" "const char *name" \
+    "prop_dictionary_t behavior" "secmodel_eval_t sm_eval" \
+    "secmodel_setinfo_t sm_setinfo"
+.Ft int
+.Fn secmodel_deregister "secmodel_t sm"
+.Ft int
+.Fn secmodel_eval "const char *id" "const char *what" "void *arg" "void *ret"
+.Ft static int
+.Fn secmodel_\*[Lt]model\*[Gt]_eval "const char *what" "void *arg" \
+    "void *ret"
 .Sh DESCRIPTION
 .Nx
-provides a complete abstraction of the underlying security model used with
-the operating system to a set of
+provides a complete abstraction of the underlying security model used within
+the operating system through a set of
 .Xr kauth 9
 scopes and actions.
+It allows maintaining the traditional security model (based on a single
+.Em super-user
+and above-super-user restrictions known as
+.Em securelevel )
+while decoupling it easily from the system.
 .Pp
 It is possible to modify the security model -- either slightly or using an
 entirely different model -- by attaching/detaching
 .Xr kauth 9
 listeners.
-This document describes this process.
-.Ss Background
-In
-.Nx 4.0 ,
-Kernel Authorization --
-.Xr kauth 9
--- was introduced as the subsystem responsible for authorization and
-credential management.
-Before its introduction, there were several ways for providing resource access
-control:
-.Bl -dash -offset indent -compact
+This can be done via the
+.Nm
+pluggable framework.
+.Pp
+A
+.Nm
+is typically implemented as a kernel
+.Xr module 9 ,
+and can be either built-in statically or loaded dynamically at run-time.
+They base their decisions on available information, either directly from
+kernel, from a userspace daemon or even from a centralized network
+authorization server.
+.Sh DATA TYPES
+The
+.Nm
+framework offers the following data types:
+.Bl -tag -width secmodel_t
+.It Fa secmodel_t
+An opaque type that describes a
+.Nm .
+.El
+.Sh FUNCTIONS
+.Bl -tag -width xxxxxxx
+.It Fn secmodel_register "sm" "id" "name" "behavior" "sm_eval" "sm_setinfo"
+Register a security model to the
+.Nm
+framework and stores its description inside
+.Fa sm .
+.Bl -tag -width sm_setinfo
+.It Fa sm
+The
+.Nm
+description.
+.It Fa id
+The unique identifier of the
+.Nm .
+.It Fa name
+The descriptive human-readable name of the
+.Nm .
+.It Fa behavior
+(optional) a
+.Xr prop_dictionary 3
+that declares the behavior of this security model, like
+.Do copy credentials on fork . Dc
+.It Fa sm_eval
+(optional) the
+.Fn secmodel_\*[Lt]model\*[Gt]_eval
+callback used by a
+.Nm
+to register an evaluation routine that can be queried later
+by another security model.
+.It Fa sm_setinfo
+(optional) the
+.Fn secmodel_\*[Lt]model\*[Gt]_setinfo
+callback used by a
+.Nm
+to register a routine that permits other security models to
+alter the
+.Nm
+internals.
+Currently not implemented.
+.El
+.It Fn secmodel_deregister "sm"
+Deregister the
+.Nm
+described by
+.Fa sm .
+.It Fn secmodel_eval "id" "what" "arg" "ret"
+Call the evaluation callback implemented by a security model.
+The return value can be either:
+.Bl -dash -compact -offset xxxxxx
 .It
-Checking if the user in question is the superuser via
-.Fn suser .
+zero (0), when the call succeeded.
 .It
-Comparing the user-id against hard-coded values, often zero,
+positive, when the error comes directly from the
+.Nm
+framework.
 .It
-Checking the system securelevel.
+negative, when the error comes from the evaluation callback
+implemented in the targetted security model.
+The value is then implementation-defined.