search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix up mix of man(7)/mdoc(7).
[netbsd-mini2440.git] / sys / secmodel / overlay / secmodel_overlay.c
blob78bc52d21bc508a02ff00f758fa407388cc015e3
1 /* $NetBSD: secmodel_overlay.c,v 1.9 2008/02/23 23:32:30 elad Exp $ */
2 /*-
3 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products
15 * derived from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29 #include <sys/cdefs.h>
30 __KERNEL_RCSID(0, "$NetBSD: secmodel_overlay.c,v 1.9 2008/02/23 23:32:30 elad Exp $");
31
32 #include <sys/types.h>
33 #include <sys/param.h>
34 #include <sys/kauth.h>
35 #include <sys/module.h>
36
37 #include <sys/sysctl.h>
38
39 #include <secmodel/overlay/overlay.h>
40
41 #include <secmodel/bsd44/bsd44.h>
42 #include <secmodel/suser/suser.h>
43 #include <secmodel/securelevel/securelevel.h>
44
45 MODULE(MODULE_CLASS_SECMODEL, secmodel_overlay, "secmodel_bsd44");
46
47 /*
48 * Fall-back settings.
49 */
50 #define OVERLAY_ISCOPE_GENERIC "org.netbsd.kauth.overlay.generic"
51 #define OVERLAY_ISCOPE_SYSTEM "org.netbsd.kauth.overlay.system"
52 #define OVERLAY_ISCOPE_PROCESS "org.netbsd.kauth.overlay.process"
53 #define OVERLAY_ISCOPE_NETWORK "org.netbsd.kauth.overlay.network"
54 #define OVERLAY_ISCOPE_MACHDEP "org.netbsd.kauth.overlay.machdep"
55 #define OVERLAY_ISCOPE_DEVICE "org.netbsd.kauth.overlay.device"
56 #define OVERLAY_ISCOPE_VNODE "org.netbsd.kauth.overlay.vnode"
57
58 static kauth_scope_t secmodel_overlay_iscope_generic;
59 static kauth_scope_t secmodel_overlay_iscope_system;
60 static kauth_scope_t secmodel_overlay_iscope_process;
61 static kauth_scope_t secmodel_overlay_iscope_network;
62 static kauth_scope_t secmodel_overlay_iscope_machdep;
63 static kauth_scope_t secmodel_overlay_iscope_device;
64 static kauth_scope_t secmodel_overlay_iscope_vnode;
65
66 static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep,
67 l_device, l_vnode;
68
69 static struct sysctllog *sysctl_overlay_log;
70
71 /*
72 * Initialize the overlay security model.
73 */
74 void
75 secmodel_overlay_init(void)
76 {
77 /*
78 * Register internal fall-back scopes.
79 */
80 secmodel_overlay_iscope_generic = kauth_register_scope(
81 OVERLAY_ISCOPE_GENERIC, NULL, NULL);
82 secmodel_overlay_iscope_system = kauth_register_scope(
83 OVERLAY_ISCOPE_SYSTEM, NULL, NULL);
84 secmodel_overlay_iscope_process = kauth_register_scope(
85 OVERLAY_ISCOPE_PROCESS, NULL, NULL);
86 secmodel_overlay_iscope_network = kauth_register_scope(
87 OVERLAY_ISCOPE_NETWORK, NULL, NULL);
88 secmodel_overlay_iscope_machdep = kauth_register_scope(
89 OVERLAY_ISCOPE_MACHDEP, NULL, NULL);
90 secmodel_overlay_iscope_device = kauth_register_scope(
91 OVERLAY_ISCOPE_DEVICE, NULL, NULL);
92 secmodel_overlay_iscope_vnode = kauth_register_scope(
93 OVERLAY_ISCOPE_VNODE, NULL, NULL);
94
95 /*
96 * Register fall-back listeners, from suser and securelevel, to each
97 * internal scope.
98 */
99 kauth_listen_scope(OVERLAY_ISCOPE_GENERIC,
100 secmodel_suser_generic_cb, NULL);
101
102 kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM,
103 secmodel_suser_system_cb, NULL);
104 kauth_listen_scope(OVERLAY_ISCOPE_SYSTEM,
105 secmodel_securelevel_system_cb, NULL);
106
107 kauth_listen_scope(OVERLAY_ISCOPE_PROCESS,
108 secmodel_suser_process_cb, NULL);
109 kauth_listen_scope(OVERLAY_ISCOPE_PROCESS,
110 secmodel_securelevel_process_cb, NULL);
111
112 kauth_listen_scope(OVERLAY_ISCOPE_NETWORK,
113 secmodel_suser_network_cb, NULL);
114 kauth_listen_scope(OVERLAY_ISCOPE_NETWORK,
115 secmodel_securelevel_network_cb, NULL);
116
117 kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP,
118 secmodel_suser_machdep_cb, NULL);
119 kauth_listen_scope(OVERLAY_ISCOPE_MACHDEP,
120 secmodel_securelevel_machdep_cb, NULL);
121
122 kauth_listen_scope(OVERLAY_ISCOPE_DEVICE,
123 secmodel_suser_device_cb, NULL);
124 kauth_listen_scope(OVERLAY_ISCOPE_DEVICE,
125 secmodel_securelevel_device_cb, NULL);
126
127 secmodel_bsd44_init();
128 }
129
130 void
131 sysctl_security_overlay_setup(struct sysctllog **clog)
132 {
133 const struct sysctlnode *rnode;
134
135 sysctl_createv(clog, 0, NULL, &rnode,
136 CTLFLAG_PERMANENT,
137 CTLTYPE_NODE, "security", NULL,
138 NULL, 0, NULL, 0,
139 CTL_SECURITY, CTL_EOL);
140
141 sysctl_createv(clog, 0, &rnode, &rnode,
142 CTLFLAG_PERMANENT,
143 CTLTYPE_NODE, "models", NULL,
144 NULL, 0, NULL, 0,
145 CTL_CREATE, CTL_EOL);
146
147 sysctl_createv(clog, 0, &rnode, &rnode,
148 CTLFLAG_PERMANENT,
149 CTLTYPE_NODE, "overlay",
150 SYSCTL_DESCR("Overlay security model on-top of bsd44, "),
151 NULL, 0, NULL, 0,
152 CTL_CREATE, CTL_EOL);
153
154 sysctl_createv(clog, 0, &rnode, NULL,
155 CTLFLAG_PERMANENT,
156 CTLTYPE_STRING, "name", NULL,
157 NULL, 0, __UNCONST("Overlay (on-top of bsd44)"), 0,
158 CTL_CREATE, CTL_EOL);
159 }
160
161 /*
162 * Start the overlay security model.
163 */
164 void
165 secmodel_overlay_start(void)
166 {
167 l_generic = kauth_listen_scope(KAUTH_SCOPE_GENERIC,
168 secmodel_overlay_generic_cb, NULL);
169 l_system = kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
170 secmodel_overlay_system_cb, NULL);
171 l_process = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
172 secmodel_overlay_process_cb, NULL);
173 l_network = kauth_listen_scope(KAUTH_SCOPE_NETWORK,
174 secmodel_overlay_network_cb, NULL);
175 l_machdep = kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
176 secmodel_overlay_machdep_cb, NULL);
177 l_device = kauth_listen_scope(KAUTH_SCOPE_DEVICE,
178 secmodel_overlay_device_cb, NULL);
179 l_vnode = kauth_listen_scope(KAUTH_SCOPE_VNODE,
180 secmodel_overlay_vnode_cb, NULL);
181
182 /* secmodel_register(); */
183 }
184
185 /*
186 * Stop the overlay security model.
187 */
188 void
189 secmodel_overlay_stop(void)
190 {
191 kauth_unlisten_scope(l_generic);
192 kauth_unlisten_scope(l_system);
193 kauth_unlisten_scope(l_process);
194 kauth_unlisten_scope(l_network);
195 kauth_unlisten_scope(l_machdep);
196 kauth_unlisten_scope(l_device);
197 kauth_unlisten_scope(l_vnode);
198 }
199
200 static int
201 secmodel_overlay_modcmd(modcmd_t cmd, void *arg)
202 {
203 int error = 0;
204
205 switch (cmd) {
206 case MODULE_CMD_INIT:
207 secmodel_overlay_init();
208 secmodel_bsd44_stop();
209 secmodel_overlay_start();
210 sysctl_security_overlay_setup(&sysctl_overlay_log);
211 break;
212
213 case MODULE_CMD_FINI:
214 sysctl_teardown(&sysctl_overlay_log);
215 secmodel_overlay_stop();
216 break;
217
218 case MODULE_CMD_AUTOUNLOAD:
219 error = EPERM;
220 break;
221
222 default:
223 error = ENOTTY;
224 break;
225 }
226
227 return error;
228 }
229
230 /*
231 * Overlay listener for the generic scope.
232 */
233 int
234 secmodel_overlay_generic_cb(kauth_cred_t cred, kauth_action_t action,
235 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
236 {
237 int result;
238
239 result = KAUTH_RESULT_DEFER;
240
241 switch (action) {
242 default:
243 result = KAUTH_RESULT_DEFER;
244 break;
245 }
246
247 if (result == KAUTH_RESULT_DEFER) {
248 result = kauth_authorize_action(
249 secmodel_overlay_iscope_generic, cred, action,
250 arg0, arg1, arg2, arg3);
251 }
252
253 return (result);
254 }
255
256 /*
257 * Overlay listener for the system scope.
258 */
259 int
260 secmodel_overlay_system_cb(kauth_cred_t cred, kauth_action_t action,
261 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
262 {
263 int result;
264
265 result = KAUTH_RESULT_DEFER;
266
267 switch (action) {
268 default:
269 result = KAUTH_RESULT_DEFER;
270 break;
271 }
272
273 if (result == KAUTH_RESULT_DEFER) {
274 result = kauth_authorize_action(
275 secmodel_overlay_iscope_system, cred, action,
276 arg0, arg1, arg2, arg3);
277 }
278
279 return (result);
280 }
281
282 /*
283 * Overlay listener for the process scope.
284 */
285 int
286 secmodel_overlay_process_cb(kauth_cred_t cred, kauth_action_t action,
287 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
288 {
289 int result;
290
291 result = KAUTH_RESULT_DEFER;
292
293 switch (action) {
294 default:
295 result = KAUTH_RESULT_DEFER;
296 break;
297 }
298
299 if (result == KAUTH_RESULT_DEFER) {
300 result = kauth_authorize_action(
301 secmodel_overlay_iscope_process, cred, action,
302 arg0, arg1, arg2, arg3);
303 }
304
305 return (result);
306 }
307
308 /*
309 * Overlay listener for the network scope.
310 */
311 int
312 secmodel_overlay_network_cb(kauth_cred_t cred, kauth_action_t action,
313 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
314 {
315 int result;
316
317 result = KAUTH_RESULT_DEFER;
318
319 switch (action) {
320 default:
321 result = KAUTH_RESULT_DEFER;
322 break;
323 }
324
325 if (result == KAUTH_RESULT_DEFER) {
326 result = kauth_authorize_action(
327 secmodel_overlay_iscope_network, cred, action,
328 arg0, arg1, arg2, arg3);
329 }
330
331 return (result);
332 }
333
334 /*
335 * Overlay listener for the machdep scope.
336 */
337 int
338 secmodel_overlay_machdep_cb(kauth_cred_t cred, kauth_action_t action,
339 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
340 {
341 int result;
342
343 result = KAUTH_RESULT_DEFER;
344
345 switch (action) {
346 default:
347 result = KAUTH_RESULT_DEFER;
348 break;
349 }
350
351 if (result == KAUTH_RESULT_DEFER) {
352 result = kauth_authorize_action(
353 secmodel_overlay_iscope_machdep, cred, action,
354 arg0, arg1, arg2, arg3);
355 }
356
357 return (result);
358 }
359
360 /*
361 * Overlay listener for the device scope.
362 */
363 int
364 secmodel_overlay_device_cb(kauth_cred_t cred, kauth_action_t action,
365 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
366 {
367 int result;
368
369 result = KAUTH_RESULT_DEFER;
370
371 switch (action) {
372 default:
373 result = KAUTH_RESULT_DEFER;
374 break;
375 }
376
377 if (result == KAUTH_RESULT_DEFER) {
378 result = kauth_authorize_action(
379 secmodel_overlay_iscope_device, cred, action,
380 arg0, arg1, arg2, arg3);
381 }
382
383 return (result);
384 }
385
386 /*
387 * Overlay listener for the vnode scope.
388 */
389 int
390 secmodel_overlay_vnode_cb(kauth_cred_t cred, kauth_action_t action,
391 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
392 {
393 int result;
394
395 result = KAUTH_RESULT_DEFER;
396
397 switch (action) {
398 default:
399 result = KAUTH_RESULT_DEFER;
400 break;
401 }
402
403 if (result == KAUTH_RESULT_DEFER) {
404 result = kauth_authorize_action(
405 secmodel_overlay_iscope_vnode, cred, action,
406 arg0, arg1, arg2, arg3);
407 }
408
409 return (result);
410 }
NetBSD on the FriendlyARM MINI2440