xref: /netbsd-src/share/man/man9/kauth.9 (revision 1921cb5602567cfc8401cc953be22fe9d74238f2) 
1.\" $NetBSD: kauth.9,v 1.19 2006/10/03 02:06:28 wiz Exp $
2.\"
3.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\"    must display the following acknowledgement:
16.\"      This product includes software developed by Elad Efrat.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\"    derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.Dd September 30, 2006
32.Dt KAUTH 9
33.Os
34.Sh NAME
35.Nm kauth
36.Nd kernel authorization framework
37.Sh SYNOPSIS
38.In sys/kauth.h
39.Sh DESCRIPTION
40.Nm ,
41or kernel authorization, is the subsystem managing all authorization requests
42inside the kernel.
43It manages user credentials and rights, and can be used
44to implement a system-wide security policy.
45It allows external modules to plug-in the authorization process.
46.Pp
47.Nm
48introduces some new concepts, namely
49.Dq scopes
50and
51.Dq listeners ,
52which will be detailed together with other useful information for kernel
53developers in this document.
54.Ss Types
55Some
56.Nm
57types include the following:
58.Bl -tag
59.It kauth_cred_t
60Representing credentials that can be associated with an object.
61Includes user- and group-ids (real, effective, and save) as well as group
62membership information.
63.It kauth_scope_t
64Describes a scope.
65.It kauth_listener_t
66Describes a listener.
67.El
68.Ss Terminology
69.Nm
70operates in various
71.Dq scopes ,
72each scope holding a group of
73.Dq listeners .
74.Pp
75Each listener works as a callback for when an authorization request within the
76scope is made.
77When such a request is made, all listeners on the scope are passed common
78information such as the credentials of the request context, an identifier for
79the requested operation, and possibly other information as well.
80.Pp
81Every listener examines the passed information and returns its decision
82regarding the requested operation.
83It can either allow, deny, or defer the operation -- in which case, the
84decision is left to the other listeners.
85.Pp
86For an operation to be allowed, all listeners must not return any deny
87or defer decisions.
88.Pp
89Scopes manage listeners that operate in the same aspect of the system.
90.Ss Kernel Programming Interface
91.Nm
92exports a KPI that allows developers both of
93.Nx
94and third-party products to authorize requests, access and modify credentials,
95create and remove scopes and listeners, and perform other miscellaneous operations on
96credentials.
97.Ss Authorization Requests
98.Nm
99provides a single authorization request routine, which all authorization
100requests go through.
101This routine dispatches the request to the listeners of the appropriate scope,
102together with four optional user-data variables, and returns the augmented
103result.
104.Pp
105It is declared as
106.Pp
107.Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \
108"kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3"
109.Pp
110An authorization request can return one of two possible values.
111Zero indicates success -- the operation is allowed;
112.Er EPERM
113(see
114.Xr errno 2 )
115indicates failure -- the operation is denied.
116.Pp
117Each scope has its own authorization wrapper, to make it easy to call from various
118places by eliminating the need to specify the scope and/or cast values.
119The authorization wrappers are detailed in each scope's section.
120.Ss Generic Scope
121The generic scope,
122.Dq org.netbsd.kauth.generic ,
123manages generic authorization requests in the kernel.
124.Pp
125The authorization wrapper for this scope is declared as
126.Pp
127.Ft int Fn kauth_authorize_generic "kauth_cred_t cred" "kauth_action_t op" \
128"void *arg0"
129.Pp
130The following operations are available for this scope:
131.Bl -tag
132.It Dv KAUTH_GENERIC_ISSUSER
133Checks whether the credentials belong to the super-user.
134.Pp
135Using this request is strongly discouraged and should only be done as a
136temporary place-holder, as it is breaking the separation between the
137interface for authorization requests from the back-end implementation.
138.It Dv KAUTH_GENERIC_CANSEE
139Checks whether an object with one set of credentials can access
140information about another object, possibly with a different set of
141credentials.
142.Pp
143.Ar arg0
144contains the credentials of the object looked at.
145.Pp
146This request should be issued only in cases where generic credentials
147check is required; otherwise it is recommended to use the object-specific
148routines.
149.El
150.Ss System Scope
151The system scope,
152.Dq org.netbsd.kauth.system ,
153manages authorization requests affecting the entire system.
154.Pp
155The authorization wrapper for this scope is declared as
156.Pp
157.Ft int Fn kauth_authorize_system "kauth_cred_t cred" \
158"kauth_action_t op" "enum kauth_system_req req" "void *arg1" "void *arg2" \
159"void *arg3"
160.Pp
161The following requests are available for this scope:
162.Bl -tag
163.It Dv KAUTH_SYSTEM_ACCOUNTING
164Check if enabling/disabling accounting allowed.
165.It Dv KAUTH_SYSTEM_CHROOT
166.Ar req
167can be any of the following:
168.Bl -tag
169.It Dv KAUTH_REQ_SYSTEM_CHROOT_CHROOT
170Check if calling
171.Xr chroot 2
172is allowed.
173.It Dv KAUTH_REQ_SYSTEM_CHROOT_FCHROOT
174Check if calling
175.Xr fchroot 2
176is allowed.
177.El
178.It Dv KAUTH_SYSTEM_DEBUG
179This request concentrates several debugging-related operations.
180.Ar req
181can be any of the following:
182.Bl -tag
183.It Dv KAUTH_REQ_SYSTEM_DEBUG_IPKDB
184Check if using
185.Xr ipkdb 4
186is allowed.
187.El
188.It Dv KAUTH_SYSTEM_FILEHANDLE
189Check if filehandle operations allowed.
190.It Dv KAUTH_SYSTEM_LKM
191Check if an LKM request is allowed.
192.Pp
193.Ar arg1
194is the command.
195.It Dv KAUTH_SYSTEM_MKNOD
196Check if creating devices is allowed.
197.It Dv KAUTH_SYSTEM_RAWIO
198This request groups raw access to system resources.
199.Pp
200.Ar req
201indicates what is the underlying resource being access, and can be one of the
202following:
203.Bl -tag
204.It Dv KAUTH_REQ_SYSTEM_RAWIO_DISK
205The underlying resource is a disk.
206.It Dv KAUTH_REQ_SYSTEM_RAWIO_MEMORY
207The underlying resource is the machine memory.
208.El
209.Pp
210.Ar arg1
211indicates the access requested, and can be one of the following:
212.Bl -tag
213.It Dv KAUTH_REQ_SYSTEM_RAWIO_READ
214Read access is requested.
215.It Dv KAUTH_REQ_SYSTEM_RAWIO_RW
216Both read and write access are requested.
217.It Dv KAUTH_REQ_SYSTEM_RAWIO_WRITE
218Write access is requested.
219.El
220.Pp
221If the request is for a disk device,
222.Ar arg2
223should contain a
224.Ft struct vnode *
225for the vnode in question, and
226.Ar arg3
227should contain the device number.
228.Pp
229The behavior if any of the above is not provided is policy-dependent.
230.It Dv KAUTH_SYSTEM_REBOOT
231Check if rebooting is allowed.
232.It Dv KAUTH_SYSTEM_SETIDCORE
233Check if changing coredump settings for set-id processes is allowed.
234.It Dv KAUTH_SYSTEM_SWAPCTL
235Check if privileged
236.Xr swapctl 2
237requests are allowed.
238.It Dv KAUTH_SYSTEM_SYSCTL
239This requests operations related to
240.Xr sysctl 9 .
241.Ar req
242indicates the specific request and can be one of the following:
243.Bl -tag
244.It Dv KAUTH_REQ_SYSTEM_SYSCTL_ADD
245Check if adding a
246.Xr sysctl 9
247node is allowed.
248.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DELETE
249Check if deleting a
250.Xr sysctl 9
251node is allowed.
252.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DESC
253Check if adding description to a
254.Xr sysctl 9
255node is allowed.
256.It Dv KAUTH_REQ_SYSTEM_SYSCTL_PRVT
257Check if accessing private
258.Xr sysctl 9
259nodes is allowed.
260.El
261.It Dv KAUTH_SYSTEM_TIME
262This request groups time-related operations.
263.Ar req
264can be any of the following:
265.Bl -tag
266.It Dv KAUTH_REQ_SYSTEM_TIME_ADJTIME
267Check if changing the time using
268.Xr adjtime 2
269is allowed.
270.It Dv KAUTH_REQ_SYSTEM_TIME_BACKWARDS
271Check if setting the time backwards is allowed.
272.It Dv KAUTH_REQ_SYSTEM_TIME_NTPADJTIME
273Check if setting the time using
274.Xr ntp_adjtime 2
275is allowed.
276.It Dv KAUTH_REQ_SYSTEM_TIME_SYSTEM
277Check if changing the time (usually via
278.Xr settimeofday 2 )
279is allowed.
280.It Dv KAUTH_REQ_SYSTEM_TIME_RTCOFFSET
281Check if changing the RTC offset is allowed.
282.El
283.El
284.Ss Process Scope
285The process scope,
286.Dq org.netbsd.kauth.process ,
287manages authorization requests related to processes in the system.
288.Pp
289The authorization wrapper for this scope is declared as
290.Pp
291.Ft int Fn kauth_authorize_process "kauth_cred_t cred" \
292"kauth_action_t op" "struct proc *p" "void *arg1" "void *arg2" \
293"void *arg3"
294.Pp
295The following operations are available for this scope:
296.Bl -tag
297.It Dv KAUTH_PROCESS_CANSIGNAL
298Checks whether an object with one set of credentials can post signals
299to another process.
300.Pp
301.Ar arg1
302and
303.Ar arg2
304contain the credentials
305.Ft ( kauth_cred_t )
306and the process data
307.Ft ( struct proc * )
308of the process the signal is posted to, respectively.
309.Ar arg3
310is the signal to be posted.
311.It Dv KAUTH_PROCESS_CANSEE
312Checks whether an object with one set of credentials can access
313information about another process, possibly with a different set of
314credentials.
315.It Dv KAUTH_PROCESS_CORENAME
316Checks whether the coredump name for the process
317.Ar p
318can be changed.
319.It Dv KAUTH_PROCESS_RESOURCE
320Groups authorization requests related to resource management.
321.Ar arg0
322indicates the sub-action, and can be one of the following:
323.Bl -tag
324.It Dv KAUTH_REQ_PROCESS_RESOURCE_NICE
325Checks whether the
326.Em nice
327value of
328.Ar p
329can be changed to
330.Ar arg2 .
331.It Dv KAUTH_REQ_PROCESS_RESOURCE_RLIMIT
332Checks whether the
333.Em rlimit
334value for
335.Ar arg3
336in
337.Ar p
338can be set to
339.Ar arg2 .
340.El
341.It Dv KAUTH_PROCESS_SETID
342Check if changing the user- or group-ids, groups, or login-name for
343.Ar p
344is allowed.
345.El
346.Ss Network Scope
347The network scope,
348.Dq org.netbsd.kauth.network ,
349manages networking-related authorization requests in the kernel.
350.Pp
351The authorization wrapper for this scope is declared as
352.Pp
353.Ft int Fn kauth_authorize_network "kauth_cred_t cred" "kauth_action_t op" \
354"enum kauth_network_req req" "void *arg1" "void *arg2" "void *arg3"
355.Pp
356The following operations are available for this scope:
357.Bl -tag
358.It Dv KAUTH_NETWORK_ALTQ
359Checks if an ALTQ operation is allowed.
360.Pp
361.Ar req
362indicates the ALTQ subsystem in question, and can be one of the following:
363.Pp
364.Bl -tag -compact
365.It Dv KAUTH_REQ_NETWORK_ALTQ_AFMAP
366.It Dv KAUTH_REQ_NETWORK_ALTQ_BLUE
367.It Dv KAUTH_REQ_NETWORK_ALTQ_CBQ
368.It Dv KAUTH_REQ_NETWORK_ALTQ_CDNR
369.It Dv KAUTH_REQ_NETWORK_ALTQ_CONF
370.It Dv KAUTH_REQ_NETWORK_ALTQ_FIFOQ
371.It Dv KAUTH_REQ_NETWORK_ALTQ_HFSC
372.It Dv KAUTH_REQ_NETWORK_ALTQ_PRIQ
373.It Dv KAUTH_REQ_NETWORK_ALTQ_RED
374.It Dv KAUTH_REQ_NETWORK_ALTQ_RIO
375.It Dv KAUTH_REQ_NETWORK_ALTQ_WFQ
376.El
377.It Dv KAUTH_NETWORK_BIND
378Checks if a
379.Xr bind 2
380request is allowed.
381.Pp
382.Ar req
383allows to indicate the type of the request to structure listeners and callers
384easier.
385Supported request types:
386.Bl -tag
387.It Dv KAUTH_REQ_NETWORK_BIND_PRIVPORT
388Checks if binding to a privileged/reserved port is allowed.
389.El
390.It Dv KAUTH_NETWORK_FIREWALL
391Checks if firewall-related operations are allowed.
392.Pp
393.Ar req
394indicates the sub-action, and can be one of the following:
395.Bl -tag
396.It Dv KAUTH_REQ_NETWORK_FIREWALL_FW
397Modification of packet filtering rules.
398.It Dv KAUTH_REQ_NETWORK_FIREWALL_NAT
399Modification of NAT rules.
400.El
401.It Dv KAUTH_NETWORK_FORWSRCRT
402Checks whether status of forwarding of source-routed packets can be modified
403or not.
404.It Dv KAUTH_NETWORK_ROUTE
405Checks if a routing-related request is allowed.
406.Pp
407.Ar arg1
408is the
409.Ft struct rt_msghdr *
410for the request.
411.It Dv KAUTH_NETWORK_SOCKET
412Checks if a
413.Xr socket 2
414request is allowed.
415.Pp
416.Ar req
417allows to indicate the type of the request to structure listeners and callers
418easier.
419Supported request types:
420.Bl -tag
421.It Dv KAUTH_REQ_NETWORK_SOCKET_RAWSOCK
422Checks if opening a raw socket is allowed.
423.El
424.El
425.Ss Machine-dependent Scope
426The machine-dependent (machdep) scope,
427.Dq org.netbsd.kauth.machdep ,
428manages machine-dependent authorization requests in the kernel.
429.Pp
430The authorization wrapper for this scope is declared as
431.Pp
432.Ft int Fn kauth_authorize_machdep "kauth_cred_t cred" "kauth_action_t op" \
433"enum kauth_machdep_req req" "void *arg1" "void *arg2" "void *arg3"
434.Pp
435In this scope,
436.Ar req
437always indicates the machine for the request.
438Below is the list of available request hierarchy.
439.Bl -tag
440.It Dv KAUTH_MACHDEP_X86
441The request is x86 specific.
442.Pp
443Available requests as
444.Ar arg1
445are:
446.Bl -tag
447.It Dv KAUTH_REQ_MACHDEP_X86_IOPL
448Checks if IOPL is allowed to be modified.
449.It Dv KAUTH_REQ_MACHDEP_X86_IOPERM
450Checks if IOPERM is allowed to be modified.
451.It Dv KAUTH_REQ_MACHDEP_X86_MTRR_SET
452Checks if the MTRR can be set.
453.El
454.It Dv KAUTH_MACHDEP_X86_64
455The request is x86-64 specific.
456.Pp
457Available requests as
458.Ar arg1
459are:
460.Bl -tag
461.It Dv KAUTH_REQ_MACHDEP_X86_64_MTRR_GET
462Check if MTRR values can be retrieved.
463.El
464.El
465.Ss Device Scope
466The device scope,
467.Dq org.netbsd.kauth.device ,
468manages authorization requests related to devices on the system.
469Devices can be, for example, terminals, tape drives, and any other hardware.
470Network devices specifically are handled by the
471.Em network
472scope.
473.Pp
474This scope has an authorization routine per device class on the system.
475.Pp
476.Ft int Fn kauth_authorize_device_tty "kauth_cred_t cred" "kauth_action_t op" \
477"struct tty *tty"
478.Pp
479Authorizes requests for
480.Em terminal devices
481on the system.
482The third argument,
483.Ar tty ,
484is the terminal device in question.
485The second argument is one of the following:
486.Bl -tag
487.It Dv KAUTH_DEVICE_TTY_OPEN
488Open the terminal device pointed to by
489.Ar tty .
490.It Dv KAUTH_DEVICE_TTY_PRIVSET
491Set privileged settings on the terminal device pointed to by
492.Ar tty .
493.El
494.Ss Credentials Accessors and Mutators
495.Nm
496has a variety of accessor and mutator routines to handle
497.Ft kauth_cred_t
498objects.
499.Pp
500The following routines can be used to access and modify the user- and
501group-ids in a
502.Ft kauth_cred_t :
503.Bl -tag
504.It Ft uid_t Fn kauth_cred_getuid "kauth_cred_t cred"
505Returns the real user-id from
506.Ar cred .
507.It Ft uid_t Fn kauth_cred_geteuid "kauth_cred_t cred"
508Returns the effective user-id from
509.Ar cred .
510.It Ft uid_t Fn kauth_cred_getsvuid "kauth_cred_t cred"
511Returns the saved user-id from
512.Ar cred .
513.It Ft void Fn kauth_cred_setuid "kauth_cred_t cred" "uid_t uid"
514Sets the real user-id in
515.Ar cred
516to
517.Ar uid .
518.It Ft void Fn kauth_cred_seteuid "kauth_cred_t cred" "uid_t uid"
519Sets the effective user-id in
520.Ar cred
521to
522.Ar uid .
523.It Ft void Fn kauth_cred_setsvuid "kauth_cred_t cred" "uid_t uid"
524Sets the saved user-id in
525.Ar cred
526to
527.Ar uid .
528.It Ft gid_t Fn kauth_cred_getgid "kauth_cred_t cred"
529Returns the real group-id from
530.Ar cred .
531.It Ft gid_t Fn kauth_cred_getegid "kauth_cred_t cred"
532Returns the effective group-id from
533.Ar cred .
534.It Ft gid_t Fn kauth_cred_getsvgid "kauth_cred_t cred"
535Returns the saved group-id from
536.Ar cred .
537.It Ft void Fn kauth_cred_setgid "kauth_cred_t cred" "gid_t gid"
538Sets the real group-id in
539.Ar cred
540to
541.Ar gid .
542.It Ft void Fn kauth_cred_setegid "kauth_cred_t cred" "gid_t gid"
543Sets the effective group-id in
544.Ar cred
545to
546.Ar gid .
547.It Ft void Fn kauth_cred_setsvgid "kauth_cred_t cred" "gid_t gid"
548Sets the saved group-id in
549.Ar cred
550to
551.Ar gid .
552.It Ft u_int Fn kauth_cred_getrefcnt "kauth_cred_t cred"
553Return the reference count for
554.Ar cred .
555.El
556.Pp
557The following routines can be used to access and modify the group
558list in a
559.Ft kauth_cred_t :
560.Bl -tag
561.It Ft int Fn kauth_cred_ismember_gid "kauth_cred_t cred" "gid_t gid" \
562"int *resultp"
563Checks if the group-id
564.Ar gid
565is a member in the group list of
566.Ar cred .
567.Pp
568If it is,
569.Ar resultp
570will be set to one, otherwise, to zero.
571.Pp
572The return value is an error code, or zero for success.
573.It Ft u_int Fn kauth_cred_ngroups "kauth_cred_t cred"
574Return the number of groups in the group list of
575.Ar cred .
576.It Ft int Fn kauth_cred_group "kauth_cred_t cred" "u_int idx"
577Return the group-id of the group at index
578.Ar idx
579in the group list of
580.Ar cred .
581.It Ft int Fn kauth_cred_setgroups "kauth_cred_t cred" "gid_t *groups" \
582"size_t ngroups" "uid_t gmuid"
583Copy
584.Ar ngroups
585groups from array pointed to by
586.Ar groups
587to the group list in
588.Ar cred ,
589adjusting the number of groups in
590.Ar cred
591appropriately.
592.Pp
593Any groups remaining will be set to an invalid value.
594.Pp
595.Ar gmuid
596is unused for now, and to maintain interface compatibility with the Darwin
597KPI.
598.It Ft int Fn kauth_cred_getgroups "kauth_cred_t cred" "gid_t *groups" \
599"size_t ngroups"
600Copy
601.Ar ngroups
602groups from the group list in
603.Ar cred
604to the buffer pointed to by
605.Ar groups .
606.Pp
607The number of groups in
608.Ar cred
609will be returned.
610.El
611.Ss Credentials Inheritance and Reference Counting
612.Nm
613provides a KPI for handling a
614.Ft kauth_cred_t
615in shared credentials situations and credential inheritance.
616.Pp
617When a
618.Ft kauth_cred_t
619is first allocated, its reference count is set to 1.
620However, with time, its reference count can grow as more objects (processes,
621LWPs, files, etc.) reference it.
622One such case is during a
623.Xr fork 2
624where the child process and its LWPs inherit the credentials of the parent.
625.Pp
626To prevent freeing a
627.Ft kauth_cred_t
628while it is still referenced, the following routines are available to maintain
629its reference count:
630.Bl -tag
631.It Ft void Fn kauth_cred_hold "kauth_cred_t cred"
632Increases reference count to
633.Ar cred
634by one.
635.It Ft void Fn kauth_cred_free "kauth_cred_t cred"
636Decreases the reference count to
637.Ar cred
638by one.
639.Pp
640If the reference count dropped to zero, the memory used by
641.Ar cred
642will be returned back to the memory pool.
643.El
644.Ss Credentials Memory Management
645Data-structures for credentials, listeners, and scopes are allocated from
646memory pools managed by the
647.Xr pool 9
648subsystem.
649.Pp
650The
651.Ft kauth_cred_t
652objects have their own memory management routines:
653.Bl -tag
654.It Ft kauth_cred_t Fn kauth_cred_alloc "void"
655Allocates a new
656.Ft kauth_cred_t ,
657initializes its lock, and sets its reference count to one.
658.El
659.Ss Conversion Routines
660Sometimes it might be necessary to convert a
661.Ft kauth_cred_t
662to a predecessing type, such as
663.Ft struct pcred
664or
665.Ft struct ucred ,
666or convert credentials passed from userland as a
667.Ft struct uucred
668to a
669.Ft kauth_cred_t .
670.Pp
671The following routines are available for these cases:
672.Bl -tag
673.It Ft void Fn kauth_cred_topcred "kauth_cred_t cred" "struct pcred *pcred"
674Convert a
675.Ft kauth_cred_t
676to a
677.Ft struct pcred .
678.Pp
679This includes real and saved user- and group-ids and reference count, copied
680from
681.Ar cred .
682The
683.Ar pc_ucred
684field in the destination is set to
685.Dv NULL .
686.It Ft void Fn kauth_cred_toucred "kauth_cred_t cred" "struct ucred *ucred"
687Convert a
688.Ft kauth_cred_t
689to a
690.Ft struct ucred .
691.Pp
692This includes effective user- and group-ids, number of groups, and the group
693list from
694.Ar cred .
695.Pp
696Note that
697.Nm
698will try to copy as many groups as
699.Ar ucred
700can hold.
701.It Ft void Fn kauth_cred_uucvt "kauth_cred_t cred" "const struct uucred *uucred"
702Convert userland's view of credentials to a
703.Ft kauth_cred_t .
704.Pp
705This includes effective user- and group-ids, a number of groups, and a group
706list.
707The reference count is set to one.
708.Pp
709Note that
710.Nm
711will try to copy as many groups as can be held inside a
712.Ft kauth_cred_t .
713The addition of groups will also guarantee order and no duplicates.
714.It Ft int Fn kauth_cred_uucmp "kauth_cred_t cred" "struct uucred *uucred"
715Compares
716.Ar cred
717with the userland credentials in
718.Ar uucred .
719.Pp
720Common values that will be compared are effective user- and group-ids, and
721the group list.
722.El
723.Ss Miscellaneous Routines
724Other routines provided by
725.Nm
726are:
727.Bl -tag
728.It Ft void Fn kauth_cred_clone "kauth_cred_t cred1" "kauth_cred_t cred2"
729Clone credentials from
730.Ar cred1
731to
732.Ar cred2 ,
733except for the lock and reference count.
734.Pp
735.It Ft kauth_cred_t Fn kauth_cred_dup "kauth_cred_t cred"
736Duplicate
737.Ar cred .
738.Pp
739What this routine does is call
740.Fn kauth_cred_alloc
741followed by a call to
742.Fn kauth_cred_clone .
743.It Ft kauth_cred_t Fn kauth_cred_copy "kauth_cred_t cred"
744Works like
745.Fn kauth_cred_dup ,
746except for a few differences.
747.Pp
748If
749.Ar cred
750already has a reference count of one, it will be returned.
751Otherwise, a new
752.Ft kauth_cred_t
753will be allocated and the credentials from
754.Ar cred
755will be cloned to it.
756Last, a call to
757.Fn kauth_cred_free
758for
759.Ar cred
760will be done.
761.It Ft kauth_cred_t Fn kauth_cred_get "void"
762Return the credentials associated with the current LWP.
763.El
764.Ss Scope Management
765.Nm
766provides routines to manage the creation and deletion of scopes on the
767system.
768.Pp
769Note that the built-in scopes, the
770.Dq generic
771scope and the
772.Dq process
773scope, can't be deleted.
774.Bl -tag
775.It Ft kauth_scope_t Fn kauth_register_scope "const char *id" \
776"kauth_scope_callback_t cb" "void *cookie"
777Register a new scope on the system.
778.Ar id
779is the name of the scope, usually in reverse DNS-like notation.
780For example,
781.Dq org.netbsd.kauth.myscope .
782.Ar cb
783is the default listener, to which authorization requests for this scope
784will be dispatched to.
785.Ar cookie
786is optional user-data that will be passed to all listeners
787during authorization on the scope.
788.It Ft void Fn kauth_deregister_scope "kauth_scope_t scope"
789Deregister
790.Ar scope
791from the scopes available on the system.
792.El
793.Ss Listener Management
794Listeners in
795.Nm
796are authorization callbacks that are called during an authorization
797request in the scope which they belong to.
798.Pp
799When an authorization request is made, all listeners associated with
800a scope are called to allow, deny, or defer the request.
801.Pp
802It is enough for one listener to deny the request in order for the
803request to be denied; but all listeners are called during an authorization
804process none-the-less.
805All listeners are required to allow the request for it to be granted,
806and in a case where all listeners defer the request -- leaving the decision
807for other listeners -- the request is denied.
808.Pp
809The following KPI is provided for the management of listeners:
810.Bl -tag
811.It Ft kauth_listener_t Fn kauth_listen_scope "const char *id" \
812"kauth_scope_callback_t cb" "void *cookie"
813Create a new listener on the scope with the id
814.Ar id ,
815setting the default listener to
816.Ar cb .
817.\".Ar cookie
818.\"is optional user-data that will be passed to the listener when called
819.\"during an authorization request.
820.It Ft void Fn kauth_unlisten_scope "kauth_listener_t listener"
821Remove
822.Ar listener
823from the scope which it belongs to.
824.Pp
825Effectively what this does is is remove the callback from the chain of
826functions to be called when an authorization request is made, preventing
827from the listener from being entered in the future.
828.El
829.Pp
830.Nm
831provides no means for synchronization within listeners.
832It is the the programmer's responsibility to make sure data used by the
833listener is properly locked during its use, as it can be accessed
834simultaneously from the same listener called multiple times.
835It is also the programmer's responsibility to do garbage collection after
836the listener, possibly freeing any allocated data it used.
837.Pp
838The common method to do the above is by having a reference count to
839each listener.
840On entry to the listener, this reference count should be raised, and
841on exit -- lowered.
842.Pp
843During the removal of a listener, first
844.Fn kauth_scope_unlisten
845should be called to make sure the listener code will not be entered in
846the future.
847Then, the code should wait (possibly sleeping) until the reference count
848drops to zero.
849When that happens, it is safe to do the final cleanup.
850.Pp
851Listeners might sleep, so no locks can be held when calling an authorization
852wrapper.
853.\".Sh EXAMPLES
854.Sh SEE ALSO
855.Xr secmodel 9
856.Sh HISTORY
857The kernel authorization framework first appeared in Mac OS X 10.4.
858.Pp
859The kernel authorization framework in
860.Nx
861first appeared in
862.Nx 4.0 ,
863and is a clean-room implementation based on Apple TN2127, available at
864http://developer.apple.com/technotes/tn2005/tn2127.html
865.Sh AUTHORS
866.An Elad Efrat Aq elad@NetBSD.org
867implemented the kernel authorization framework in
868.Nx .
869.Pp
870.An Jason R. Thorpe Aq thorpej@NetBSD.org
871provided guidance and answered questions about the Darwin implementation.
872.Sh ONE MORE THING
873The
874.Nm
875framework is dedicated to Brian Mitchell, one of the most talented people
876I know.
877Thanks for everything.
878