Subject: Re: Dividing securelevel implications to kauth(9) scopes
To: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 05/16/2006 20:38:37
YAMAMOTO Takashi wrote:

> i think chflags shouldn't be "generic".

"vnode"?

> can you propose operations and their arguments as well?
> to me, it isn't clear how "driver" scope operations will be, for example.

The arguments passed to the authorization wrappers are supposed to
provide a context for the listener to make a decision. Every operation
will have its own set of arguments.

For example, we have the following code in sys/dev/tc/stic.c:

	static int
	sticopen(dev_t dev, int flag, int mode, struct lwp *l)
	{
		struct stic_info *si;
		int s;

		if (securelevel > 0)
			return (EPERM);
	[...]

Where's it's clear we have no context needed to make a decision, so
the arguments can all be NULL.

The above is similar (just change the securelevel being conditionalized)
for all securelevel references in sys/dev *except*
wscons/wsdisplay_compat_usl.c:

	int
	wsdisplay_usl_ioctl2(struct wsdisplay_softc *sc, struct wsscreen
		    *scr, u_long cmd, caddr_t data, int flag, struct lwp
		    *l)
	{
	[...]
	switch (cmd) {
	[...]
	case KDENABIO:
		if (kauth_authorize_generic(p->p_cred,
		    KAUTH_GENERIC_ISSUSER, &p->p_acflag) ||
		    securelevel > 1)
			return (EPERM);
	[...]

Where the check could be refactored to one authorization request where
the listener would look into both the credentials and the securelevel.

So, the driver scope -- as of now, anyway -- doesn't care about the
request context, so there would be no arguments passed to the
authorization wrappers.

Does this answer your question?

-e.

-- 
Elad Efrat