Subject: Re: Dividing securelevel implications to kauth(9) scopes
To: None <elad@NetBSD.org>
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
List: tech-security
Date: 05/17/2006 18:21:49
> > i think chflags shouldn't be "generic".
> 
> "vnode"?

yea, it sounds better.

> > can you propose operations and their arguments as well?
> > to me, it isn't clear how "driver" scope operations will be, for example.
> 
> The arguments passed to the authorization wrappers are supposed to
> provide a context for the listener to make a decision. Every operation
> will have its own set of arguments.
> 
> For example, we have the following code in sys/dev/tc/stic.c:
> 
> 	static int
> 	sticopen(dev_t dev, int flag, int mode, struct lwp *l)
> 	{
> 		struct stic_info *si;
> 		int s;
> 
> 		if (securelevel > 0)
> 			return (EPERM);
> 	[...]
> 
> Where's it's clear we have no context needed to make a decision, so
> the arguments can all be NULL.

i don't think it's so obvious.

to define a kauth action, we need to figure out
why sticopen should be prohibited.
otherwise, we end up to have KAUTH_DRIVER_STICOPEN,
which is a poor choice, IMO.

besides, it can be done by listening more generic actions like "open".
in that case, you want to pass vnode pointer or dev_t, so that listener
can check if it's a "dangerous" device.

YAMAMOTO Takashi