1.\" $NetBSD: kauth.9,v 1.4 2006/05/28 06:50:37 yamt Exp $ 2.\" 3.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by Elad Efrat. 17.\" 4. The name of the author may not be used to endorse or promote products 18.\" derived from this software without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd May 28, 2006 32.Dt KAUTH 9 33.Os 34.Sh NAME 35.Nm kauth 36.Nd kernel authorization framework 37.Sh SYNOPSIS 38.In sys/kauth.h 39.Sh DESCRIPTION 40.Nm , 41or kernel authorization, is the subsystem managing all authorization requests 42inside the kernel. 43It manages user credentials and rights, and can be used 44to implement a system-wide security policy. 45It allows external modules to plug-in the authorization process. 46.Pp 47.Nm 48introduces some new concepts, namely 49.Dq scopes 50and 51.Dq listeners , 52which will be detailed together with other useful information for kernel 53developers in this document. 54.Sh TYPES 55Some 56.Nm 57types include the following: 58.Bl -tag -width "123456" 59.It kauth_cred_t 60Representing credentials that can be associated with an object. 61Includes user- and group-ids (real, effective, and save) as well as group 62membership information. 63.It kauth_scope_t 64Describes a scope. 65.It kauth_listener_t 66Describes a listener. 67.El 68.Ss Terminology 69.Nm 70operates in various 71.Dq scopes , 72each scope holding a group of 73.Dq listeners . 74.Pp 75Each listener works as a callback for when an authorization request within the 76scope is made. 77When such a request is made, all listeners on the scope are passed common 78information such as the credentials of the request context, an identifier for 79the requested operation, and possibly other information as well. 80.Pp 81Every listener examines the passed information and returns its decision 82regarding the requested operation. 83It can either allow, deny, or defer the operation -- in which case, the 84decision is left to the other listeners. 85.Pp 86For an operation to be allowed, all listeners must not return any deny 87or defer decisions. 88.Pp 89Scopes manage listeners that operate in the same aspect of the system. 90.Ss Kernel Programming Interface 91.Nm 92exports a KPI that allows developers both of 93.Nx 94and third-party products to authorize requests, access and modify credentials, 95create and remove scopes and listeners, and perform other miscellaneous operations on 96credentials. 97.Ss Authorization Requests 98.Nm 99provides a single authorization request routine, which all authorization 100requests go through. 101This routine dispatches the request to the listeners of the appropriate scope, 102together with four optional user-data variables, and returns the augmented 103result. 104.Pp 105It is declared as 106.Pp 107.Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \ 108"kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3" 109.Pp 110An authorization request can return one of two possible values. 111Zero indicates success -- the operation is allowed; 112.Er EPERM 113(see 114.Xr errno 2 ) 115indicates failure -- the operation is denied. 116.Pp 117Each scope has its own authorization wrapper, to make it easy to call from various 118places by eliminating the need to specify the scope and/or cast values. 119The authorization wrappers are detailed in each scope's section. 120.Ss Generic Scope 121The generic scope, 122.Dq org.netbsd.kauth.generic , 123manages generic authorization requests in the kernel. 124.Pp 125The authorization wrapper for this scope is declared as 126.Pp 127.Ft int Fn kauth_authorize_generic "kauth_cred_t cred" "kauth_action_t op" \ 128"void *arg0" 129.Pp 130The following operations are available for this scope: 131.Bl -tag -width "123456" 132.It Dv KAUTH_GENERIC_ISSUSER 133Checks whether the credentials belong to the super-user. 134.Pp 135If 136.Ar arg0 137is not 138.Dv NULL , 139it's treated as a 140.Ft u_short * 141to accounting flags, and the 142.Dv ACU 143flag is set. 144.El 145.Ss Process Scope 146The process scope, 147.Dq org.netbsd.kauth.process , 148manages authorization requests related to processes in the system. 149.Pp 150The authorization wrapper for this scope is declared as 151.Pp 152.Ft int Fn kauth_authorize_process "kauth_cred_t cred" \ 153"kauth_action_t op" "struct proc *p" "void *arg1" "void *arg2" \ 154"void *arg3" 155.Pp 156The following operations are available for this scope: 157.Bl -tag -width "123456" 158.It Dv KAUTH_PROCESS_CANPTRACE 159Checks whether an object with one set of credentials can use 160.Xr ptrace 2 161on another process, possibly with a different set of credentials. 162.Pp 163.Ar arg1 164contains the credentials of the process being attached to. 165.It Dv KAUTH_PROCESS_CANSIGNAL 166Checks whether an object with one set of credentials can post signals 167to another process. 168.Pp 169.Ar arg1 170and 171.Ar arg2 172contain the credentials 173.Ft ( kauth_cred_t ) 174and the process data 175.Ft ( struct proc * ) 176of the process the signal is posted to, respectively. 177.Ar arg3 178is the signal to be posted. 179.It Dv KAUTH_PROCESS_CANSEE 180Checks whether an object with one set of credentials can access 181information about another object, possibly with a different set of 182credentials. 183.Pp 184.Ar arg1 185contains the credentials of the process looked at. 186.El 187.Ss Credentials Accessors and Mutators 188.Nm 189has a variety of accessor and mutator routines to handle 190.Ft kauth_cred_t 191objects. 192.Pp 193The following routines can be used to access and modify the user- and 194group-ids in a 195.Ft kauth_cred_t : 196.Bl -tag -width "123456" 197.It Ft uid_t Fn kauth_cred_getuid "kauth_cred_t cred" 198Returns the real user-id from 199.Ar cred . 200.It Ft uid_t Fn kauth_cred_geteuid "kauth_cred_t cred" 201Returns the effective user-id from 202.Ar cred . 203.It Ft uid_t Fn kauth_cred_getsvuid "kauth_cred_t cred" 204Returns the saved user-id from 205.Ar cred . 206.It Ft void Fn kauth_cred_setuid "kauth_cred_t cred" "uid_t uid" 207Sets the real user-id in 208.Ar cred 209to 210.Ar uid . 211.It Ft void Fn kauth_cred_seteuid "kauth_cred_t cred" "uid_t uid" 212Sets the effective user-id in 213.Ar cred 214to 215.Ar uid . 216.It Ft void Fn kauth_cred_setsvuid "kauth_cred_t cred" "uid_t uid" 217Sets the saved user-id in 218.Ar cred 219to 220.Ar uid . 221.It Ft gid_t Fn kauth_cred_getgid "kauth_cred_t cred" 222Returns the real group-id from 223.Ar cred . 224.It Ft gid_t Fn kauth_cred_getegid "kauth_cred_t cred" 225Returns the effective group-id from 226.Ar cred . 227.It Ft gid_t Fn kauth_cred_getsvgid "kauth_cred_t cred" 228Returns the saved group-id from 229.Ar cred . 230.It Ft void Fn kauth_cred_setgid "kauth_cred_t cred" "gid_t gid" 231Sets the real group-id in 232.Ar cred 233to 234.Ar gid . 235.It Ft void Fn kauth_cred_setegid "kauth_cred_t cred" "gid_t gid" 236Sets the effective group-id in 237.Ar cred 238to 239.Ar gid . 240.It Ft void Fn kauth_cred_setsvgid "kauth_cred_t cred" "gid_t gid" 241Sets the saved group-id in 242.Ar cred 243to 244.Ar gid . 245.It Ft uint16_t Fn kauth_cred_getrefcnt "kauth_cred_t cred" 246Return the reference count for 247.Ar cred . 248.El 249.Pp 250The following routines can be used to access and modify the group 251list in a 252.Ft kauth_cred_t : 253.Bl -tag -width "123456" 254.It Ft int Fn kauth_cred_ismember_gid "kauth_cred_t cred" "gid_t gid" \ 255"int *resultp" 256Checks if the group-id 257.Ar gid 258is a member in the group list of 259.Ar cred . 260.Pp 261If it is, 262.Ar resultp 263will be set to one, otherwise, to zero. 264.Pp 265The return value is an error code, or zero for success. 266.It Ft uint16_t Fn kauth_cred_ngroups "kauth_cred_t cred" 267Return the number of groups in the group list of 268.Ar cred . 269.It Ft int Fn kauth_cred_group "kauth_cred_t cred" "uint16_t idx" 270Return the group-id of the group at index 271.Ar idx 272in the group list of 273.Ar cred . 274.It Ft int Fn kauth_cred_setgroups "kauth_cred_t cred" "gid_t *groups" \ 275"size_t ngroups" "uid_t gmuid" 276Copy 277.Ar ngroups 278groups from array pointed to by 279.Ar groups 280to the group list in 281.Ar cred , 282adjusting the number of groups in 283.Ar cred 284appropriately. 285.Pp 286Any groups remaining will be set to an invalid value. 287.Pp 288.Ar gmuid 289is unused for now, and to maintain interface compatibility with the Darwin 290KPI. 291.It Ft int Fn kauth_cred_getgroups "kauth_cred_t cred" "gid_t *groups" \ 292"size_t ngroups" 293Copy 294.Ar ngroups 295groups from the group list in 296.Ar cred 297to the buffer pointed to by 298.Ar groups . 299.Pp 300The number of groups in 301.Ar cred 302will be returned. 303.El 304.Ss Credentials Inheritance and Reference Counting 305.Nm 306provides a KPI for handling a 307.Ft kauth_cred_t 308in shared credentials situations and credential inheritance. 309.Pp 310When a 311.Ft kauth_cred_t 312is first allocated, its reference count is set to 1. 313However, with time, its reference count can grow as more objects (processes, 314files, etc.) reference it. 315One such case is during a 316.Xr fork 2 317where the child process inherits the credentials of the parent. 318.Pp 319To prevent freeing a 320.Ft kauth_cred_t 321while it is still referenced, the following routines are available to maintain 322its reference count: 323.Bl -tag -width "123456" 324.It Ft void Fn kauth_cred_hold "kauth_cred_t cred" 325Increases reference count to 326.Ar cred 327by one. 328.It Ft void Fn kauth_cred_free "kauth_cred_t cred" 329Decreases the reference count to 330.Ar cred 331by one. 332.Pp 333If the reference count dropped to zero, the memory used by 334.Ar cred 335will be returned back to the memory pool. 336.El 337.Ss Credentials Memory Management 338Data-structures for credentials, listeners, and scopes are allocated from 339memory pools managed by the 340.Xr pool 9 341subsystem. 342.Pp 343The 344.Ft kauth_cred_t 345objects have their own memory management routines: 346.Bl -tag -width "123456" 347.It Ft kauth_cred_t Fn kauth_cred_alloc "void" 348Allocates a new 349.Ft kauth_cred_t , 350initializes its lock, and sets its reference count to one. 351.El 352.Ss Conversion Routines 353Sometimes it might be necessary to convert a 354.Ft kauth_cred_t 355to a predecessing type, such as 356.Ft struct pcred 357or 358.Ft struct ucred , 359or convert credentials passed from userland as a 360.Ft struct uucred 361to a 362.Ft kauth_cred_t . 363.Pp 364The following routines are available for these cases: 365.Bl -tag -width "123456" 366.It Ft void Fn kauth_cred_topcred "kauth_cred_t cred" "struct pcred *pcred" 367Convert a 368.Ft kauth_cred_t 369to a 370.Ft struct pcred . 371.Pp 372This includes real and saved user- and group-ids, a kernel-space pointer 373to a 374.Ft struct ucred 375(the address of 376.Ar cred 377is used for this), and reference count, copied from 378.Ar cred . 379.It Ft void Fn kauth_cred_toucred "kauth_cred_t cred" "struct ucred *ucred" 380Convert a 381.Ft kauth_cred_t 382to a 383.Ft struct ucred . 384.Pp 385This includes effective user- and group-ids, number of groups, and the group 386list from 387.Ar cred . 388.Pp 389Note that 390.Nm 391will try to copy as many groups as 392.Ar ucred 393can hold. 394.It Ft void Fn kauth_cred_uucvt "kauth_cred_t cred" "const struct uucred *uucred" 395Convert userland's view of credentials to a 396.Ft kauth_cred_t . 397.Pp 398This includes effective user- and group-ids, a number of groups, and a group 399list. 400The reference count is set to one. 401.Pp 402Note that 403.Nm 404will try to copy as many groups as can be held inside a 405.Ft kauth_cred_t . 406The addition of groups will also guarantee order and no duplicates. 407.It Ft int Fn kauth_cred_uucmp "kauth_cred_t cred" "struct uucred *uucred" 408Compares 409.Ar cred 410with the userland credentials in 411.Ar uucred . 412.Pp 413Common values that will be compared are effective user- and group-ids, and 414the group list. 415.El 416.Ss Miscellaneous Routines 417Other routines provided by 418.Nm 419are: 420.Bl -tag -width "123456" 421.It Ft void Fn kauth_cred_clone "kauth_cred_t cred1" "kauth_cred_t cred2" 422Clone credentials from 423.Ar cred1 424to 425.Ar cred2 , 426except for the lock and reference count. 427.Pp 428.It Ft kauth_cred_t Fn kauth_cred_dup "kauth_cred_t cred" 429Duplicate 430.Ar cred . 431.Pp 432What this routine does is call 433.Fn kauth_cred_alloc 434followed by a call to 435.Fn kauth_cred_clone . 436.It Ft kauth_cred_t Fn kauth_cred_copy "kauth_cred_t cred" 437Works like 438.Fn kauth_cred_dup , 439except for a few differences. 440.Pp 441If 442.Ar cred 443already has a reference count of one, it will be returned. 444Otherwise, a new 445.Ft kauth_cred_t 446will be allocated and the credentials from 447.Ar cred 448will be cloned to it. 449Last, a call to 450.Fn kauth_cred_free 451for 452.Ar cred 453will be done. 454.It Ft kauth_cred_t Fn kauth_cred_get "void" 455Return the credentials associated with the current process. 456.El 457.Ss Scope Management 458.Nm 459provides routines to manage the creation and deletion of scopes on the 460system. 461.Pp 462Note that the built-in scopes, the 463.Dq generic 464scope and the 465.Dq process 466scope, can't be deleted. 467.Bl -tag -width "123456" 468.It Ft kauth_scope_t Fn kauth_register_scope "const char *id" \ 469"kauth_scope_callback_t cb" "void *cookie" 470Register a new scope on the system. 471.Ar id 472is the name of the scope, usually in reverse DNS-like notation. 473For example, 474.Dq org.netbsd.kauth.myscope . 475.Ar cb 476is the default listener, to which authorization requests for this scope 477will be dispatched to. 478.Ar cookie 479is optional user-data that will be passed to all listeners 480during authorization on the scope. 481.It Ft void Fn kauth_deregister_scope "kauth_scope_t scope" 482Deregister 483.Ar scope 484from the scopes available on the system. 485.El 486.Ss Listener Management 487Listeners in 488.Nm 489are authorization callbacks that are called during an authorization 490request in the scope which they belong to. 491.Pp 492When an authorization request is made, all listeners associated with 493a scope are called to allow, deny, or defer the request. 494.Pp 495It is enough for one listener to deny the request in order for the 496request to be denied; but all listeners are called during an authorization 497process none-the-less. 498All listeners are required to allow the request for it to be granted, 499and in a case where all listeners defer the request -- leaving the decision 500for other listeners -- the request is denied. 501.Pp 502The following KPI is provided for the management of listeners: 503.Bl -tag -width "123456" 504.It Ft kauth_listener_t Fn kauth_listen_scope "const char *id" \ 505"kauth_scope_callback_t cb" "void *cookie" 506Create a new listener on the scope with the id 507.Ar id , 508setting the default listener to 509.Ar cb . 510.\".Ar cookie 511.\"is optional user-data that will be passed to the listener when called 512.\"during an authorization request. 513.It Ft void Fn kauth_unlisten_scope "kauth_listener_t listener" 514Remove 515.Ar listener 516from the scope which it belongs to. 517.Pp 518Effectively what this does is is remove the callback from the chain of 519functions to be called when an authorization request is made, preventing 520from the listener from being entered in the future. 521.El 522.Pp 523.Nm 524provides no means for synchronization within listeners. 525It is the the programmer's responsibility to make sure data used by the 526listener is properly locked during its use, as it can be accessed 527simultaneously from the same listener called multiple times. 528It is also the programmer's responsibility to do garbage collection after 529the listener, possibly freeing any allocated data it used. 530.Pp 531The common method to do the above is by having a reference count to 532each listener. 533On entry to the listener, this reference count should be raised, and 534on exit -- lowered. 535.Pp 536During the removal of a listener, first 537.Fn kauth_scope_unlisten 538should be called to make sure the listener code will not be entered in 539the future. 540Then, the code should wait (possibly sleeping) until the reference count 541drops to zero. 542When that happens, it is safe to do the final cleanup. 543.\".Sh EXAMPLES 544.\" .Sh SEE ALSO 545.Sh HISTORY 546The kernel authorization framework first appeared in Mac OS X 10.4. 547.Pp 548The kernel authorization framework in 549.Nx 550first appeared in 551.Nx 5.0 , 552and is a clean-room implementation based on Apple TN2127, available at 553http://developer.apple.com/technotes/tn2005/tn2127.html 554.Sh AUTHORS 555.An Elad Efrat Aq elad@NetBSD.org 556implemented the kernel authorization framework in 557.Nx . 558.Pp 559.An Jason R. Thorpe Aq thorpej@NetBSD.org 560provided guidance and answered questions about the Darwin implementation. 561.Sh ONE MORE THING 562The 563.Nm 564framework is dedicated to Brian Mitchell, one of the most talented people 565I know. 566Thanks for everything. 567