search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sync usage with man page.
[netbsd-mini2440.git] / share / examples / secmodel / secmodel_example.c
blobd45015ca0526ba10ba646006798238aac6e91957
1 /* $NetBSD: secmodel_example.c,v 1.24 2008/02/28 16:09:18 elad Exp $ */
2
3 /*
4 * This file is placed in the public domain.
5 */
6
7 /*
8 * Skeleton file for building a NetBSD security model from scratch, containing
9 * every kauth(9) scope, action, and request, as well as some coding hints.
10 *
11 * This file will be kept in-sync with the official NetBSD kernel, so *always*
12 * use the latest revision.
13 */
14
15 #include <sys/cdefs.h>
16 __KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.24 2008/02/28 16:09:18 elad Exp $");
17
18 #include <sys/types.h>
19 #include <sys/param.h>
20 #include <sys/kauth.h>
21
22 #include <sys/sysctl.h>
23
24 #include <secmodel/secmodel.h>
25
26 #include <secmodel/example/example.h>
27
28 /*
29 * Initialize the security model.
30 */
31 void
32 secmodel_example_init(void)
33 {
34 return;
35 }
36
37 /*
38 * If the security model is to be used as an LKM, this routine should be
39 * changed, because otherwise creating permanent sysctl(9) nodes will fail.
40 *
41 * To make it work, the prototype should be changed to something like:
42 *
43 * void secmodel_example_sysctl(void)
44 *
45 * and it should be called from secmodel_start().
46 *
47 * In addition, the CTLFLAG_PERMANENT flag must be removed from all the
48 * nodes.
49 */
50 SYSCTL_SETUP(sysctl_security_example_setup,
51 "sysctl security example setup")
52 {
53 const struct sysctlnode *rnode;
54
55 sysctl_createv(clog, 0, NULL, &rnode,
56 CTLFLAG_PERMANENT,
57 CTLTYPE_NODE, "security", NULL,
58 NULL, 0, NULL, 0,
59 CTL_CREATE, CTL_EOL);
60
61 sysctl_createv(clog, 0, &rnode, &rnode,
62 CTLFLAG_PERMANENT,
63 CTLTYPE_NODE, "models", NULL,
64 NULL, 0, NULL, 0,
65 CTL_CREATE, CTL_EOL);
66
67 sysctl_createv(clog, 0, &rnode, &rnode,
68 CTLFLAG_PERMANENT,
69 CTLTYPE_NODE, "example",
70 SYSCTL_DESCR("example security model"),
71 NULL, 0, NULL, 0,
72 CTL_CREATE, CTL_EOL);
73
74 sysctl_createv(clog, 0, &rnode, NULL,
75 CTLFLAG_PERMANENT,
76 CTLTYPE_STRING, "name", NULL,
77 NULL, 0, __UNCONST("Example"), 0
78 CTL_CREATE, CTL_EOL);
79
80 }
81
82 /*
83 * Start the security model.
84 */
85 void
86 secmodel_start(void)
87 {
88 secmodel_example_init();
89
90 kauth_listen_scope(KAUTH_SCOPE_GENERIC,
91 secmodel_example_generic_cb, NULL);
92 kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
93 secmodel_example_system_cb, NULL);
94 kauth_listen_scope(KAUTH_SCOPE_PROCESS,
95 secmodel_example_process_cb, NULL);
96 kauth_listen_scope(KAUTH_SCOPE_NETWORK,
97 secmodel_example_network_cb, NULL);
98 kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
99 secmodel_example_machdep_cb, NULL);
100 }
101
102 /*
103 * Security model: example
104 * Scope: Generic
105 */
106 int
107 secmodel_example_generic_cb(kauth_cred_t, kauth_action_t action,
108 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
109 {
110 int result;
111
112 result = KAUTH_RESULT_DENY;
113
114 switch(action) {
115 case KAUTH_GENERIC_ISSUSER:
116 case KAUTH_GENERIC_CANSEE:
117 default:
118 result = KAUTH_RESULT_DEFER;
119 break;
120 }
121
122 return (result);
123 }
124
125 /*
126 * Security model: example
127 * Scope: System
128 */
129 int
130 secmodel_example_system_cb(kauth_cred_t cred, kauth_action_t action,
131 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
132 {
133 int result;
134 enum kauth_system_req req;
135
136 result = KAUTH_RESULT_DENY;
137
138 req = (enum kauth_system_req)arg0;
139
140 switch (action) {
141 case KAUTH_SYSTEM_MOUNT:
142 switch (req) {
143 case KAUTH_REQ_SYSTEM_MOUNT_GET:
144 case KAUTH_REQ_SYSTEM_MOUNT_NEW:
145 case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT:
146 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
147 default:
148 result = KAUTH_RESULT_DEFER;
149 break;
150 }
151 break;
152
153 case KAUTH_SYSTEM_TIME:
154 switch (req) {
155 case KAUTH_REQ_SYSTEM_TIME_ADJTIME:
156 case KAUTH_REQ_SYSTEM_TIME_BACKWARDS:
157 case KAUTH_REQ_SYSTEM_TIME_NTPADJTIME:
158 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
159 case KAUTH_REQ_SYSTEM_TIME_SYSTEM:
160 case KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS:
161 default:
162 result = KAUTH_RESULT_DEFER;
163 break;
164 }
165 break;
166
167 case KAUTH_SYSTEM_SYSCTL:
168 switch (req) {
169 case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
170 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
171 case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
172 default:
173 result = KAUTH_RESULT_DEFER;
174 break;
175 }
176 break;
177
178 case KAUTH_SYSTEM_CHROOT:
179 switch (req) {
180 case KAUTH_REQ_SYSTEM_CHROOT_CHROOT:
181 case KAUTH_REQ_SYSTEM_CHROOT_FCHROOT:
182 default:
183 result = KAUTH_RESULT_DEFER;
184 break;
185 }
186 break;
187
188 case KAUTH_SYSTEM_CPU:
189 switch (req) {
190 case KAUTH_REQ_SYSTEM_CPU_SETSTATE:
191 default:
192 result = KAUTH_RESULT_DEFER;
193 break;
194 }
195 break;
196
197 case KAUTH_SYSTEM_DEBUG:
198 switch (req) {
199 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
200 default:
201 result = KAUTH_RESULT_DEFER;
202 break;
203 }
204 break;
205
206 case KAUTH_SYSTEM_PSET:
207 switch (req) {
208 case KAUTH_REQ_SYSTEM_PSET_ASSIGN:
209 case KAUTH_REQ_SYSTEM_PSET_BIND:
210 case KAUTH_REQ_SYSTEM_PSET_CREATE:
211 case KAUTH_REQ_SYSTEM_PSET_DESTROY:
212 default:
213 result = KAUTH_RESULT_DEFER;
214 break;
215 }
216 break;
217
218 case KAUTH_SYSTEM_LKM:
219 case KAUTH_SYSTEM_FILEHANDLE:
220 case KAUTH_SYSTEM_MKNOD:
221 case KAUTH_SYSTEM_MODULE:
222 case KAUTH_SYSTEM_SETIDCORE:
223 case KAUTH_SYSTEM_SWAPCTL:
224 case KAUTH_SYSTEM_ACCOUNTING:
225 case KAUTH_SYSTEM_REBOOT:
226 default:
227 result = KAUTH_RESULT_DEFER;
228 break;
229 }
230
231 return (result);
232 }
233
234 /*
235 * kauth(9) listener
236 *
237 * Security model: example
238 * Scope: Process
239 */
240 int
241 secmodel_example_process_cb(kauth_cred_t cred, kauth_action_t action,
242 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
243 {
244 int result;
245
246 result = KAUTH_RESULT_DENY;
247
248 switch (action) {
249 case KAUTH_PROCESS_KTRACE:
250 switch ((u_long)arg1) {
251 case KAUTH_REQ_PROCESS_KTRACE_PERSISTENT:
252 default:
253 result = KAUTH_RESULT_DEFER;
254 break;
255 }
256 break;
257
258 case KAUTH_PROCESS_PROCFS:
259 case KAUTH_PROCESS_CANSEE:
260 case KAUTH_PROCESS_SIGNAL:
261 case KAUTH_PROCESS_PTRACE:
262 case KAUTH_PROCESS_CORENAME:
263 case KAUTH_PROCESS_FORK:
264 case KAUTH_PROCESS_KEVENT_FILTER:
265 case KAUTH_PROCESS_NICE:
266 case KAUTH_PROCESS_RLIMIT:
267 case KAUTH_PROCESS_SCHEDULER_GETAFFINITY:
268 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
269 case KAUTH_PROCESS_SCHEDULER_GETPARAM:
270 case KAUTH_PROCESS_SCHEDULER_SETPARAM:
271 case KAUTH_PROCESS_SETID:
272 case KAUTH_PROCESS_STOPFLAG:
273 default:
274 result = KAUTH_RESULT_DEFER;
275 break;
276 }
277
278 return (result);
279 }
280
281 /*
282 * kauth(9) listener
283 *
284 * Security model: example
285 * Scope: Network
286 */
287 int
288 secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
289 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
290 {
291 int result;
292
293 result = KAUTH_RESULT_DENY;
294
295 switch (action) {
296 case KAUTH_NETWORK_ALTQ:
297 switch((u_long)arg0) {
298 case KAUTH_REQ_NETWORK_ALTQ_AFMAP:
299 case KAUTH_REQ_NETWORK_ALTQ_BLUE:
300 case KAUTH_REQ_NETWORK_ALTQ_CBQ:
301 case KAUTH_REQ_NETWORK_ALTQ_CDNR:
302 case KAUTH_REQ_NETWORK_ALTQ_CONF:
303 case KAUTH_REQ_NETWORK_ALTQ_FIFOQ:
304 case KAUTH_REQ_NETWORK_ALTQ_HFSC:
305 case KAUTH_REQ_NETWORK_ALTQ_JOBS:
306 case KAUTH_REQ_NETWORK_ALTQ_PRIQ:
307 case KAUTH_REQ_NETWORK_ALTQ_RED:
308 case KAUTH_REQ_NETWORK_ALTQ_RIO:
309 case KAUTH_REQ_NETWORK_ALTQ_WFQ:
310 default:
311 result = KAUTH_RESULT_DEFER;
312 break;
313 }
314 break;
315
316 case KAUTH_NETWORK_BIND:
317 switch((u_long)arg0) {
318 case KAUTH_REQ_NETWORK_BIND_PORT:
319 case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
320 default:
321 result = KAUTH_RESULT_DEFER;
322 break;
323 }
324 break;
325
326 case KAUTH_NETWORK_FIREWALL:
327 switch ((u_long)arg0) {
328 case KAUTH_REQ_NETWORK_FIREWALL_FW:
329 case KAUTH_REQ_NETWORK_FIREWALL_NAT:
330 default:
331 result = KAUTH_RESULT_DEFER;
332 break;
333 }
334 break;
335
336 case KAUTH_NETWORK_FORWSRCRT:
337 break;
338
339 case KAUTH_NETWORK_INTERFACE:
340 switch ((u_long)arg0) {
341 case KAUTH_REQ_NETWORK_INTERFACE_GET:
342 case KAUTH_REQ_NETWORK_INTERFACE_SET:
343 case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
344 case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
345 default:
346 result = KAUTH_RESULT_DEFER;
347 break;
348 }
349 break;
350
351 case KAUTH_NETWORK_NFS:
352 switch ((u_long)arg0) {
353 case KAUTH_REQ_NETWORK_NFS_EXPORT:
354 case KAUTH_REQ_NETWORK_NFS_SVC:
355 default:
356 result = KAUTH_RESULT_DEFER;
357 break;
358 }
359 break;
360
361 case KAUTH_NETWORK_ROUTE:
362 break;
363
364 case KAUTH_NETWORK_SOCKET:
365 switch((u_long)arg0) {
366 case KAUTH_REQ_NETWORK_SOCKET_OPEN:
367 case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK:
368 case KAUTH_REQ_NETWORK_SOCKET_CANSEE:
369 default:
370 result = KAUTH_RESULT_DEFER;
371 break;
372 }
373 break;
374
375 default:
376 result = KAUTH_RESULT_DEFER;
377 break;
378 }
379
380 return (result);
381 }
382
383 /*
384 * kauth(9) listener
385 *
386 * Security model: example
387 * Scope: Machdep
388 */
389 int
390 secmodel_example_machdep_cb(kauth_cred_t cred, kauth_action_t action,
391 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
392 {
393 int result;
394
395 result = KAUTH_RESULT_DENY;
396
397 switch (action) {
398 case KAUTH_MACHDEP_IOPERM_GET:
399 case KAUTH_MACHDEP_IOPERM_SET:
400 case KAUTH_MACHDEP_IOPL:
401 case KAUTH_MACHDEP_LDT_GET:
402 case KAUTH_MACHDEP_LDT_SET:
403 case KAUTH_MACHDEP_MTRR_GET:
404 case KAUTH_MACHDEP_MTRR_SET:
405 case KAUTH_MACHDEP_UNMANAGEDMEM:
406 default:
407 result = KAUTH_RESULT_DEFER;
408 break;
409 }
410
411 return (result);
412 }
413
414 /*
415 * kauth(9) listener
416 *
417 * Security model: example
418 * Scope: Device
419 */
420 int
421 secmodel_example_device_cb(kauth_cred_t cred, kauth_action_t action,
422 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
423 {
424 int result;
425
426 result = KAUTH_RESULT_DENY;
427
428 switch (action) {
429 case KAUTH_DEVICE_TTY_OPEN:
430 case KAUTH_DEVICE_TTY_PRIVSET:
431 case KAUTH_DEVICE_TTY_STI:
432 break;
433
434 case KAUTH_DEVICE_RAWIO_SPEC:
435 switch ((u_long)arg0) {
436 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
437 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
438 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
439 break;
440
441 default:
442 result = KAUTH_RESULT_DEFER;
443 break;
444 }
445
446 break;
447
448 case KAUTH_DEVICE_RAWIO_PASSTHRU:
449 default:
450 result = KAUTH_RESULT_DEFER;
451 break;
452 }
453
454 return (result);
455 }
NetBSD on the FriendlyARM MINI2440