[src/trunk]: src fix secmodel implementation of CPU_UCODE.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src fix secmodel implementation of CPU_UCODE.
From: cegger <cegger%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 21:59:14 +0000

details:   https://anonhg.NetBSD.org/src/rev/66ca1e4dc28a
branches:  trunk
changeset: 772811:66ca1e4dc28a
user:      cegger <cegger%NetBSD.org@localhost>
date:      Tue Jan 17 10:47:26 2012 +0000

description:
fix secmodel implementation of CPU_UCODE.
ok wiz@ for the manpages
ok elad@

diffstat:

 share/man/man9/kauth.9                          |  10 ++++++++--
 share/man/man9/secmodel_securelevel.9           |   6 ++++--
 sys/kern/kern_cpu.c                             |   9 ++-------
 sys/secmodel/securelevel/secmodel_securelevel.c |   8 ++++----
 sys/secmodel/suser/secmodel_suser.c             |   6 +++---
 sys/sys/kauth.h                                 |   3 +--
 6 files changed, 22 insertions(+), 20 deletions(-)

diffs (168 lines):

diff -r 16e8b412f64d -r 66ca1e4dc28a share/man/man9/kauth.9
--- a/share/man/man9/kauth.9    Tue Jan 17 09:30:16 2012 +0000
+++ b/share/man/man9/kauth.9    Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.95 2011/12/04 23:59:25 jym Exp $
+.\" $NetBSD: kauth.9,v 1.96 2012/01/17 10:47:27 cegger Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd November 8, 2011
+.Dd January 16, 2012
 .Dt KAUTH 9
 .Os
 .Sh NAME
@@ -770,6 +770,12 @@
 Below is a list of available actions, along with which platforms are affected
 by each.
 .Bl -tag -width compact
+.It Dv KAUTH_MACHDEP_CPU_UCODE_APPLY
+Request to apply a CPU microcode to a CPU.
+This is related to the
+.Em CPU_UCODE
+kernel config
+.Xr options 4 .
 .It Dv KAUTH_MACHDEP_CACHEFLUSH
 Request to flush the whole CPU cache.
 Affects
diff -r 16e8b412f64d -r 66ca1e4dc28a share/man/man9/secmodel_securelevel.9
--- a/share/man/man9/secmodel_securelevel.9     Tue Jan 17 09:30:16 2012 +0000
+++ b/share/man/man9/secmodel_securelevel.9     Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: secmodel_securelevel.9,v 1.11 2011/12/04 21:08:45 jym Exp $
+.\" $NetBSD: secmodel_securelevel.9,v 1.12 2012/01/17 10:47:27 cegger Exp $
 .\"
 .\" Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" Copyright (c) 2000 Hugh Graham
@@ -26,7 +26,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 4, 2011
+.Dd January 16, 2012
 .Dt SECMODEL_SECURELEVEL 9
 .Os
 .Sh NAME
@@ -154,6 +154,8 @@
 Per-process coredump name may not be changed.
 .It
 Packet filtering and NAT rules may not be altered.
+.It
+CPU ucode loading is denied on platforms that support it.
 .El
 .El
 .Pp
diff -r 16e8b412f64d -r 66ca1e4dc28a sys/kern/kern_cpu.c
--- a/sys/kern/kern_cpu.c       Tue Jan 17 09:30:16 2012 +0000
+++ b/sys/kern/kern_cpu.c       Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_cpu.c,v 1.53 2012/01/13 16:05:15 cegger Exp $     */
+/*     $NetBSD: kern_cpu.c,v 1.54 2012/01/17 10:47:27 cegger Exp $     */
 
 /*-
  * Copyright (c) 2007, 2008, 2009, 2010, 2012 The NetBSD Foundation, Inc.
@@ -56,7 +56,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_cpu.c,v 1.53 2012/01/13 16:05:15 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_cpu.c,v 1.54 2012/01/17 10:47:27 cegger Exp $");
 
 #include "opt_cpu_ucode.h"
 
@@ -258,11 +258,6 @@
                    NULL, NULL, NULL, NULL);
                if (error != 0)
                        break;
-               error = kauth_authorize_system(l->l_cred,
-                   KAUTH_SYSTEM_CPU, KAUTH_REQ_SYSTEM_CPU_UCODE_APPLY,
-                   data, NULL, NULL);
-               if (error != 0)
-                       break;
                error = cpu_ucode_apply(data);
                break;
 #endif
diff -r 16e8b412f64d -r 66ca1e4dc28a sys/secmodel/securelevel/secmodel_securelevel.c
--- a/sys/secmodel/securelevel/secmodel_securelevel.c   Tue Jan 17 09:30:16 2012 +0000
+++ b/sys/secmodel/securelevel/secmodel_securelevel.c   Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_securelevel.c,v 1.25 2012/01/13 16:05:15 cegger Exp $ */
+/* $NetBSD: secmodel_securelevel.c,v 1.26 2012/01/17 10:47:27 cegger Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -35,7 +35,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.25 2012/01/13 16:05:15 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_securelevel.c,v 1.26 2012/01/17 10:47:27 cegger Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_insecure.h"
@@ -484,8 +484,8 @@
                break;
 
        case KAUTH_MACHDEP_CPU_UCODE_APPLY:
-               if (securelevel < 1)
-                       result = KAUTH_RESULT_ALLOW;
+               if (securelevel > 1)
+                       result = KAUTH_RESULT_DENY;
                break;
 
        default:
diff -r 16e8b412f64d -r 66ca1e4dc28a sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c       Tue Jan 17 09:30:16 2012 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c       Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.37 2012/01/13 16:05:15 cegger Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.38 2012/01/17 10:47:28 cegger Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.37 2012/01/13 16:05:15 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.38 2012/01/17 10:47:28 cegger Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -248,7 +248,6 @@
        case KAUTH_SYSTEM_CPU:
                switch (req) {
                case KAUTH_REQ_SYSTEM_CPU_SETSTATE:
-               case KAUTH_REQ_SYSTEM_CPU_UCODE_APPLY:
                        if (isroot)
                                result = KAUTH_RESULT_ALLOW;
 
@@ -701,6 +700,7 @@
         result = KAUTH_RESULT_DEFER;
 
         switch (action) {
+       case KAUTH_MACHDEP_CPU_UCODE_APPLY:
        case KAUTH_MACHDEP_IOPERM_GET:
        case KAUTH_MACHDEP_LDT_GET:
        case KAUTH_MACHDEP_LDT_SET:
diff -r 16e8b412f64d -r 66ca1e4dc28a sys/sys/kauth.h
--- a/sys/sys/kauth.h   Tue Jan 17 09:30:16 2012 +0000
+++ b/sys/sys/kauth.h   Tue Jan 17 10:47:26 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.67 2012/01/13 16:05:16 cegger Exp $ */
+/* $NetBSD: kauth.h,v 1.68 2012/01/17 10:47:26 cegger Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>  
@@ -109,7 +109,6 @@
        KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
        KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
        KAUTH_REQ_SYSTEM_CPU_SETSTATE,
-       KAUTH_REQ_SYSTEM_CPU_UCODE_APPLY,
        KAUTH_REQ_SYSTEM_DEBUG_IPKDB,
        KAUTH_REQ_SYSTEM_MOUNT_GET,
        KAUTH_REQ_SYSTEM_MOUNT_NEW,

Prev by Date: [src/trunk]: src/sys/arch/hppa/hppa Remove comment that shouldn't have crept in.
Next by Date: [src/trunk]: src/sys/arch/hppa/hppa Add some space to the output.
Previous by Thread: [src/trunk]: src/sys/arch/hppa/hppa Remove comment that shouldn't have crept in.
Next by Thread: [src/trunk]: src/sys/arch/hppa/hppa Add some space to the output.
Indexes:

Home | Main Index | Thread Index | Old Index