No empty .Rs/.Re
[netbsd-mini2440.git] / share / examples / secmodel / secmodel_example.c
blobd45015ca0526ba10ba646006798238aac6e91957
1 /* $NetBSD: secmodel_example.c,v 1.24 2008/02/28 16:09:18 elad Exp $ */
3 /*
4 * This file is placed in the public domain.
5 */
7 /*
8 * Skeleton file for building a NetBSD security model from scratch, containing
9 * every kauth(9) scope, action, and request, as well as some coding hints.
11 * This file will be kept in-sync with the official NetBSD kernel, so *always*
12 * use the latest revision.
15 #include <sys/cdefs.h>
16 __KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.24 2008/02/28 16:09:18 elad Exp $");
18 #include <sys/types.h>
19 #include <sys/param.h>
20 #include <sys/kauth.h>
22 #include <sys/sysctl.h>
24 #include <secmodel/secmodel.h>
26 #include <secmodel/example/example.h>
29 * Initialize the security model.
31 void
32 secmodel_example_init(void)
34 return;
38 * If the security model is to be used as an LKM, this routine should be
39 * changed, because otherwise creating permanent sysctl(9) nodes will fail.
41 * To make it work, the prototype should be changed to something like:
43 * void secmodel_example_sysctl(void)
45 * and it should be called from secmodel_start().
47 * In addition, the CTLFLAG_PERMANENT flag must be removed from all the
48 * nodes.
50 SYSCTL_SETUP(sysctl_security_example_setup,
51 "sysctl security example setup")
53 const struct sysctlnode *rnode;
55 sysctl_createv(clog, 0, NULL, &rnode,
56 CTLFLAG_PERMANENT,
57 CTLTYPE_NODE, "security", NULL,
58 NULL, 0, NULL, 0,
59 CTL_CREATE, CTL_EOL);
61 sysctl_createv(clog, 0, &rnode, &rnode,
62 CTLFLAG_PERMANENT,
63 CTLTYPE_NODE, "models", NULL,
64 NULL, 0, NULL, 0,
65 CTL_CREATE, CTL_EOL);
67 sysctl_createv(clog, 0, &rnode, &rnode,
68 CTLFLAG_PERMANENT,
69 CTLTYPE_NODE, "example",
70 SYSCTL_DESCR("example security model"),
71 NULL, 0, NULL, 0,
72 CTL_CREATE, CTL_EOL);
74 sysctl_createv(clog, 0, &rnode, NULL,
75 CTLFLAG_PERMANENT,
76 CTLTYPE_STRING, "name", NULL,
77 NULL, 0, __UNCONST("Example"), 0
78 CTL_CREATE, CTL_EOL);
83 * Start the security model.
85 void
86 secmodel_start(void)
88 secmodel_example_init();
90 kauth_listen_scope(KAUTH_SCOPE_GENERIC,
91 secmodel_example_generic_cb, NULL);
92 kauth_listen_scope(KAUTH_SCOPE_SYSTEM,
93 secmodel_example_system_cb, NULL);
94 kauth_listen_scope(KAUTH_SCOPE_PROCESS,
95 secmodel_example_process_cb, NULL);
96 kauth_listen_scope(KAUTH_SCOPE_NETWORK,
97 secmodel_example_network_cb, NULL);
98 kauth_listen_scope(KAUTH_SCOPE_MACHDEP,
99 secmodel_example_machdep_cb, NULL);
103 * Security model: example
104 * Scope: Generic
107 secmodel_example_generic_cb(kauth_cred_t, kauth_action_t action,
108 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
110 int result;
112 result = KAUTH_RESULT_DENY;
114 switch(action) {
115 case KAUTH_GENERIC_ISSUSER:
116 case KAUTH_GENERIC_CANSEE:
117 default:
118 result = KAUTH_RESULT_DEFER;
119 break;
122 return (result);
126 * Security model: example
127 * Scope: System
130 secmodel_example_system_cb(kauth_cred_t cred, kauth_action_t action,
131 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
133 int result;
134 enum kauth_system_req req;
136 result = KAUTH_RESULT_DENY;
138 req = (enum kauth_system_req)arg0;
140 switch (action) {
141 case KAUTH_SYSTEM_MOUNT:
142 switch (req) {
143 case KAUTH_REQ_SYSTEM_MOUNT_GET:
144 case KAUTH_REQ_SYSTEM_MOUNT_NEW:
145 case KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT:
146 case KAUTH_REQ_SYSTEM_MOUNT_UPDATE:
147 default:
148 result = KAUTH_RESULT_DEFER;
149 break;
151 break;
153 case KAUTH_SYSTEM_TIME:
154 switch (req) {
155 case KAUTH_REQ_SYSTEM_TIME_ADJTIME:
156 case KAUTH_REQ_SYSTEM_TIME_BACKWARDS:
157 case KAUTH_REQ_SYSTEM_TIME_NTPADJTIME:
158 case KAUTH_REQ_SYSTEM_TIME_RTCOFFSET:
159 case KAUTH_REQ_SYSTEM_TIME_SYSTEM:
160 case KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS:
161 default:
162 result = KAUTH_RESULT_DEFER;
163 break;
165 break;
167 case KAUTH_SYSTEM_SYSCTL:
168 switch (req) {
169 case KAUTH_REQ_SYSTEM_SYSCTL_ADD:
170 case KAUTH_REQ_SYSTEM_SYSCTL_DELETE:
171 case KAUTH_REQ_SYSTEM_SYSCTL_DESC:
172 default:
173 result = KAUTH_RESULT_DEFER;
174 break;
176 break;
178 case KAUTH_SYSTEM_CHROOT:
179 switch (req) {
180 case KAUTH_REQ_SYSTEM_CHROOT_CHROOT:
181 case KAUTH_REQ_SYSTEM_CHROOT_FCHROOT:
182 default:
183 result = KAUTH_RESULT_DEFER;
184 break;
186 break;
188 case KAUTH_SYSTEM_CPU:
189 switch (req) {
190 case KAUTH_REQ_SYSTEM_CPU_SETSTATE:
191 default:
192 result = KAUTH_RESULT_DEFER;
193 break;
195 break;
197 case KAUTH_SYSTEM_DEBUG:
198 switch (req) {
199 case KAUTH_REQ_SYSTEM_DEBUG_IPKDB:
200 default:
201 result = KAUTH_RESULT_DEFER;
202 break;
204 break;
206 case KAUTH_SYSTEM_PSET:
207 switch (req) {
208 case KAUTH_REQ_SYSTEM_PSET_ASSIGN:
209 case KAUTH_REQ_SYSTEM_PSET_BIND:
210 case KAUTH_REQ_SYSTEM_PSET_CREATE:
211 case KAUTH_REQ_SYSTEM_PSET_DESTROY:
212 default:
213 result = KAUTH_RESULT_DEFER;
214 break;
216 break;
218 case KAUTH_SYSTEM_LKM:
219 case KAUTH_SYSTEM_FILEHANDLE:
220 case KAUTH_SYSTEM_MKNOD:
221 case KAUTH_SYSTEM_MODULE:
222 case KAUTH_SYSTEM_SETIDCORE:
223 case KAUTH_SYSTEM_SWAPCTL:
224 case KAUTH_SYSTEM_ACCOUNTING:
225 case KAUTH_SYSTEM_REBOOT:
226 default:
227 result = KAUTH_RESULT_DEFER;
228 break;
231 return (result);
235 * kauth(9) listener
237 * Security model: example
238 * Scope: Process
241 secmodel_example_process_cb(kauth_cred_t cred, kauth_action_t action,
242 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
244 int result;
246 result = KAUTH_RESULT_DENY;
248 switch (action) {
249 case KAUTH_PROCESS_KTRACE:
250 switch ((u_long)arg1) {
251 case KAUTH_REQ_PROCESS_KTRACE_PERSISTENT:
252 default:
253 result = KAUTH_RESULT_DEFER;
254 break;
256 break;
258 case KAUTH_PROCESS_PROCFS:
259 case KAUTH_PROCESS_CANSEE:
260 case KAUTH_PROCESS_SIGNAL:
261 case KAUTH_PROCESS_PTRACE:
262 case KAUTH_PROCESS_CORENAME:
263 case KAUTH_PROCESS_FORK:
264 case KAUTH_PROCESS_KEVENT_FILTER:
265 case KAUTH_PROCESS_NICE:
266 case KAUTH_PROCESS_RLIMIT:
267 case KAUTH_PROCESS_SCHEDULER_GETAFFINITY:
268 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
269 case KAUTH_PROCESS_SCHEDULER_GETPARAM:
270 case KAUTH_PROCESS_SCHEDULER_SETPARAM:
271 case KAUTH_PROCESS_SETID:
272 case KAUTH_PROCESS_STOPFLAG:
273 default:
274 result = KAUTH_RESULT_DEFER;
275 break;
278 return (result);
282 * kauth(9) listener
284 * Security model: example
285 * Scope: Network
288 secmodel_example_network_cb(kauth_cred_t cred, kauth_action_t action,
289 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
291 int result;
293 result = KAUTH_RESULT_DENY;
295 switch (action) {
296 case KAUTH_NETWORK_ALTQ:
297 switch((u_long)arg0) {
298 case KAUTH_REQ_NETWORK_ALTQ_AFMAP:
299 case KAUTH_REQ_NETWORK_ALTQ_BLUE:
300 case KAUTH_REQ_NETWORK_ALTQ_CBQ:
301 case KAUTH_REQ_NETWORK_ALTQ_CDNR:
302 case KAUTH_REQ_NETWORK_ALTQ_CONF:
303 case KAUTH_REQ_NETWORK_ALTQ_FIFOQ:
304 case KAUTH_REQ_NETWORK_ALTQ_HFSC:
305 case KAUTH_REQ_NETWORK_ALTQ_JOBS:
306 case KAUTH_REQ_NETWORK_ALTQ_PRIQ:
307 case KAUTH_REQ_NETWORK_ALTQ_RED:
308 case KAUTH_REQ_NETWORK_ALTQ_RIO:
309 case KAUTH_REQ_NETWORK_ALTQ_WFQ:
310 default:
311 result = KAUTH_RESULT_DEFER;
312 break;
314 break;
316 case KAUTH_NETWORK_BIND:
317 switch((u_long)arg0) {
318 case KAUTH_REQ_NETWORK_BIND_PORT:
319 case KAUTH_REQ_NETWORK_BIND_PRIVPORT:
320 default:
321 result = KAUTH_RESULT_DEFER;
322 break;
324 break;
326 case KAUTH_NETWORK_FIREWALL:
327 switch ((u_long)arg0) {
328 case KAUTH_REQ_NETWORK_FIREWALL_FW:
329 case KAUTH_REQ_NETWORK_FIREWALL_NAT:
330 default:
331 result = KAUTH_RESULT_DEFER;
332 break;
334 break;
336 case KAUTH_NETWORK_FORWSRCRT:
337 break;
339 case KAUTH_NETWORK_INTERFACE:
340 switch ((u_long)arg0) {
341 case KAUTH_REQ_NETWORK_INTERFACE_GET:
342 case KAUTH_REQ_NETWORK_INTERFACE_SET:
343 case KAUTH_REQ_NETWORK_INTERFACE_GETPRIV:
344 case KAUTH_REQ_NETWORK_INTERFACE_SETPRIV:
345 default:
346 result = KAUTH_RESULT_DEFER;
347 break;
349 break;
351 case KAUTH_NETWORK_NFS:
352 switch ((u_long)arg0) {
353 case KAUTH_REQ_NETWORK_NFS_EXPORT:
354 case KAUTH_REQ_NETWORK_NFS_SVC:
355 default:
356 result = KAUTH_RESULT_DEFER;
357 break;
359 break;
361 case KAUTH_NETWORK_ROUTE:
362 break;
364 case KAUTH_NETWORK_SOCKET:
365 switch((u_long)arg0) {
366 case KAUTH_REQ_NETWORK_SOCKET_OPEN:
367 case KAUTH_REQ_NETWORK_SOCKET_RAWSOCK:
368 case KAUTH_REQ_NETWORK_SOCKET_CANSEE:
369 default:
370 result = KAUTH_RESULT_DEFER;
371 break;
373 break;
375 default:
376 result = KAUTH_RESULT_DEFER;
377 break;
380 return (result);
384 * kauth(9) listener
386 * Security model: example
387 * Scope: Machdep
390 secmodel_example_machdep_cb(kauth_cred_t cred, kauth_action_t action,
391 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
393 int result;
395 result = KAUTH_RESULT_DENY;
397 switch (action) {
398 case KAUTH_MACHDEP_IOPERM_GET:
399 case KAUTH_MACHDEP_IOPERM_SET:
400 case KAUTH_MACHDEP_IOPL:
401 case KAUTH_MACHDEP_LDT_GET:
402 case KAUTH_MACHDEP_LDT_SET:
403 case KAUTH_MACHDEP_MTRR_GET:
404 case KAUTH_MACHDEP_MTRR_SET:
405 case KAUTH_MACHDEP_UNMANAGEDMEM:
406 default:
407 result = KAUTH_RESULT_DEFER;
408 break;
411 return (result);
415 * kauth(9) listener
417 * Security model: example
418 * Scope: Device
421 secmodel_example_device_cb(kauth_cred_t cred, kauth_action_t action,
422 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
424 int result;
426 result = KAUTH_RESULT_DENY;
428 switch (action) {
429 case KAUTH_DEVICE_TTY_OPEN:
430 case KAUTH_DEVICE_TTY_PRIVSET:
431 case KAUTH_DEVICE_TTY_STI:
432 break;
434 case KAUTH_DEVICE_RAWIO_SPEC:
435 switch ((u_long)arg0) {
436 case KAUTH_REQ_DEVICE_RAWIO_SPEC_READ:
437 case KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE:
438 case KAUTH_REQ_DEVICE_RAWIO_SPEC_RW:
439 break;
441 default:
442 result = KAUTH_RESULT_DEFER;
443 break;
446 break;
448 case KAUTH_DEVICE_RAWIO_PASSTHRU:
449 default:
450 result = KAUTH_RESULT_DEFER;
451 break;
454 return (result);