1.\" $NetBSD: kauth.9,v 1.16 2006/09/23 10:07:32 wiz Exp $ 2.\" 3.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. All advertising materials mentioning features or use of this software 15.\" must display the following acknowledgement: 16.\" This product includes software developed by Elad Efrat. 17.\" 4. The name of the author may not be used to endorse or promote products 18.\" derived from this software without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30.\" 31.Dd September 20, 2006 32.Dt KAUTH 9 33.Os 34.Sh NAME 35.Nm kauth 36.Nd kernel authorization framework 37.Sh SYNOPSIS 38.In sys/kauth.h 39.Sh DESCRIPTION 40.Nm , 41or kernel authorization, is the subsystem managing all authorization requests 42inside the kernel. 43It manages user credentials and rights, and can be used 44to implement a system-wide security policy. 45It allows external modules to plug-in the authorization process. 46.Pp 47.Nm 48introduces some new concepts, namely 49.Dq scopes 50and 51.Dq listeners , 52which will be detailed together with other useful information for kernel 53developers in this document. 54.Ss Types 55Some 56.Nm 57types include the following: 58.Bl -tag -width "123456" 59.It kauth_cred_t 60Representing credentials that can be associated with an object. 61Includes user- and group-ids (real, effective, and save) as well as group 62membership information. 63.It kauth_scope_t 64Describes a scope. 65.It kauth_listener_t 66Describes a listener. 67.El 68.Ss Terminology 69.Nm 70operates in various 71.Dq scopes , 72each scope holding a group of 73.Dq listeners . 74.Pp 75Each listener works as a callback for when an authorization request within the 76scope is made. 77When such a request is made, all listeners on the scope are passed common 78information such as the credentials of the request context, an identifier for 79the requested operation, and possibly other information as well. 80.Pp 81Every listener examines the passed information and returns its decision 82regarding the requested operation. 83It can either allow, deny, or defer the operation -- in which case, the 84decision is left to the other listeners. 85.Pp 86For an operation to be allowed, all listeners must not return any deny 87or defer decisions. 88.Pp 89Scopes manage listeners that operate in the same aspect of the system. 90.Ss Kernel Programming Interface 91.Nm 92exports a KPI that allows developers both of 93.Nx 94and third-party products to authorize requests, access and modify credentials, 95create and remove scopes and listeners, and perform other miscellaneous operations on 96credentials. 97.Ss Authorization Requests 98.Nm 99provides a single authorization request routine, which all authorization 100requests go through. 101This routine dispatches the request to the listeners of the appropriate scope, 102together with four optional user-data variables, and returns the augmented 103result. 104.Pp 105It is declared as 106.Pp 107.Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \ 108"kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3" 109.Pp 110An authorization request can return one of two possible values. 111Zero indicates success -- the operation is allowed; 112.Er EPERM 113(see 114.Xr errno 2 ) 115indicates failure -- the operation is denied. 116.Pp 117Each scope has its own authorization wrapper, to make it easy to call from various 118places by eliminating the need to specify the scope and/or cast values. 119The authorization wrappers are detailed in each scope's section. 120.Ss Generic Scope 121The generic scope, 122.Dq org.netbsd.kauth.generic , 123manages generic authorization requests in the kernel. 124.Pp 125The authorization wrapper for this scope is declared as 126.Pp 127.Ft int Fn kauth_authorize_generic "kauth_cred_t cred" "kauth_action_t op" \ 128"void *arg0" 129.Pp 130The following operations are available for this scope: 131.Bl -tag -width "123456" 132.It Dv KAUTH_GENERIC_ISSUSER 133Checks whether the credentials belong to the super-user. 134.Pp 135Using this request is strongly discouraged and should only be done as a 136temporary place-holder, as it is breaking the separation between the 137interface for authorization requests from the back-end implementation. 138.It Dv KAUTH_GENERIC_CANSEE 139Checks whether an object with one set of credentials can access 140information about another object, possibly with a different set of 141credentials. 142.Pp 143.Ar arg0 144contains the credentials of the object looked at. 145.Pp 146This request should be issued only in cases where generic credentials 147check is required; otherwise it is recommended to use the object-specific 148routines. 149.El 150.Ss System Scope 151The system scope, 152.Dq org.netbsd.kauth.system , 153manages authorization requests affecting the entire system. 154.Pp 155The authorization wrapper for this scope is declared as 156.Pp 157.Ft int Fn kauth_authorize_system "kauth_cred_t cred" \ 158"kauth_action_t op" "enum kauth_system_req req" "void *arg1" "void *arg2" \ 159"void *arg3" 160.Pp 161The following requests are available for this scope: 162.Bl -tag -width "123456" 163.It Dv KAUTH_SYSTEM_ACCOUNTING 164Check if enabling/disabling accounting allowed. 165.It Dv KAUTH_SYSTEM_CHROOT 166.Ar req 167can be any of the following: 168.Bl -tag -width "123456" 169.It Dv KAUTH_REQ_SYSTEM_CHROOT_CHROOT 170Check if calling 171.Xr chroot 2 172is allowed. 173.It Dv KAUTH_REQ_SYSTEM_CHROOT_FCHROOT 174Check if calling 175.Xr fchroot 2 176is allowed. 177.El 178.It Dv KAUTH_SYSTEM_DEBUG 179This request concentrates several debugging-related operations. 180.Ar req 181can be any of the following: 182.Bl -tag -width "123456" 183.It Dv KAUTH_REQ_SYSTEM_DEBUG_IPKDB 184Check if using 185.Xr ipkdb 4 186is allowed. 187.El 188.It Dv KAUTH_SYSTEM_FILEHANDLE 189Check if filehandle operations allowed. 190.It Dv KAUTH_SYSTEM_LKM 191Check if an LKM request is allowed. 192.Pp 193.Ar arg1 194is the command. 195.It Dv KAUTH_SYSTEM_MKNOD 196Check if creating devices is allowed. 197.It Dv KAUTH_SYSTEM_RAWIO 198This request groups raw access to system resources. 199.Pp 200.Ar req 201indicates what is the underlying resource being access, and can be one of the 202following: 203.Bl -tag -width "123456" 204.It Dv KAUTH_REQ_SYSTEM_RAWIO_DISK 205The underlying resource is a disk. 206.It Dv KAUTH_REQ_SYSTEM_RAWIO_MEMORY 207The underlying resource is the machine memory. 208.El 209.Pp 210.Ar arg1 211indicates the access requested, and can be one of the following: 212.Bl -tag -width "123456" 213.It Dv KAUTH_REQ_SYSTEM_RAWIO_READ 214Read access is requested. 215.It Dv KAUTH_REQ_SYSTEM_RAWIO_RW 216Both read and write access are requested. 217.It Dv KAUTH_REQ_SYSTEM_RAWIO_WRITE 218Write access is requested. 219.El 220.Pp 221If the request is for a disk device, 222.Ar arg2 223should contain a 224.Ft struct vnode * 225for the vnode in question, and 226.Ar arg3 227should contain the device number. 228.Pp 229The behavior if any of the above is not provided is policy-dependent. 230.It Dv KAUTH_SYSTEM_REBOOT 231Check if rebooting is allowed. 232.It Dv KAUTH_SYSTEM_SETIDCORE 233Check if changing coredump settings for set-id processes is allowed. 234.It Dv KAUTH_SYSTEM_SWAPCTL 235Check if privileged 236.Xr swapctl 2 237requests are allowed. 238.It Dv KAUTH_SYSTEM_SYSCTL 239This requests operations related to 240.Xr sysctl 9 . 241.Ar req 242indicates the specific request and can be one of the following: 243.Bl -tag -width "123456" 244.It Dv KAUTH_REQ_SYSTEM_SYSCTL_ADD 245Check if adding a 246.Xr sysctl 9 247node is allowed. 248.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DELETE 249Check if deleting a 250.Xr sysctl 9 251node is allowed. 252.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DESC 253Check if adding description to a 254.Xr sysctl 9 255node is allowed. 256.It Dv KAUTH_REQ_SYSTEM_SYSCTL_PRVT 257Check if accessing private 258.Xr sysctl 9 259nodes is allowed. 260.El 261.It Dv KAUTH_SYSTEM_TIME 262This request groups time-related operations. 263.Ar req 264can be any of the following: 265.Bl -tag -width "123456" 266.It Dv KAUTH_REQ_SYSTEM_TIME_ADJTIME 267Check if changing the time using 268.Xr adjtime 2 269is allowed. 270.It Dv KAUTH_REQ_SYSTEM_TIME_BACKWARDS 271Check if setting the time backwards is allowed. 272.It Dv KAUTH_REQ_SYSTEM_TIME_NTPADJTIME 273Check if setting the time using 274.Xr ntp_adjtime 2 275is allowed. 276.It Dv KAUTH_REQ_SYSTEM_TIME_SYSTEM 277Check if changing the time (usually via 278.Xr settimeofday 2 ) 279is allowed. 280.It Dv KAUTH_REQ_SYSTEM_TIME_RTCOFFSET 281Check if changing the RTC offset is allowed. 282.El 283.El 284.Ss Process Scope 285The process scope, 286.Dq org.netbsd.kauth.process , 287manages authorization requests related to processes in the system. 288.Pp 289The authorization wrapper for this scope is declared as 290.Pp 291.Ft int Fn kauth_authorize_process "kauth_cred_t cred" \ 292"kauth_action_t op" "struct proc *p" "void *arg1" "void *arg2" \ 293"void *arg3" 294.Pp 295The following operations are available for this scope: 296.Bl -tag -width "123456" 297.It Dv KAUTH_PROCESS_CANSIGNAL 298Checks whether an object with one set of credentials can post signals 299to another process. 300.Pp 301.Ar arg1 302and 303.Ar arg2 304contain the credentials 305.Ft ( kauth_cred_t ) 306and the process data 307.Ft ( struct proc * ) 308of the process the signal is posted to, respectively. 309.Ar arg3 310is the signal to be posted. 311.It Dv KAUTH_PROCESS_CANSEE 312Checks whether an object with one set of credentials can access 313information about another process, possibly with a different set of 314credentials. 315.It Dv KAUTH_PROCESS_CORENAME 316Checks whether the coredump name for the process 317.Ar p 318can be changed. 319.It Dv KAUTH_PROCESS_RESOURCE 320Groups authorization requests related to resource management. 321.Ar arg0 322indicates the sub-action, and can be one of the following: 323.Bl -tag -width "123456" 324.It Dv KAUTH_REQ_PROCESS_RESOURCE_NICE 325Checks whether the 326.Em nice 327value of 328.Ar p 329can be changed to 330.Ar arg2 . 331.It Dv KAUTH_REQ_PROCESS_RESOURCE_RLIMIT 332Checks whether the 333.Em rlimit 334value for 335.Ar arg3 336in 337.Ar p 338can be set to 339.Ar arg2 . 340.El 341.It Dv KAUTH_PROCESS_SETID 342Check if changing the user- or group-ids, groups, or login-name for 343.Ar p 344is allowed. 345.El 346.Ss Network Scope 347The network scope, 348.Dq org.netbsd.kauth.network , 349manages networking-related authorization requests in the kernel. 350.Pp 351The authorization wrapper for this scope is declared as 352.Pp 353.Ft int Fn kauth_authorize_network "kauth_cred_t cred" "kauth_action_t op" \ 354"enum kauth_network_req req" "void *arg1" "void *arg2" "void *arg3" 355.Pp 356The following operations are available for this scope: 357.Bl -tag -width "123456" 358.It Dv KAUTH_NETWORK_ALTQ 359Checks if an ALTQ operation is allowed. 360.Pp 361.Ar req 362indicates the ALTQ subsystem in question, and can be one of the following: 363.Bl -tag -width "123456" 364.It Dv KAUTH_REQ_NETWORK_ALTQ_AFMAP 365.It Dv KAUTH_REQ_NETWORK_ALTQ_BLUE 366.It Dv KAUTH_REQ_NETWORK_ALTQ_CBQ 367.It Dv KAUTH_REQ_NETWORK_ALTQ_CDNR 368.It Dv KAUTH_REQ_NETWORK_ALTQ_CONF 369.It Dv KAUTH_REQ_NETWORK_ALTQ_FIFOQ 370.It Dv KAUTH_REQ_NETWORK_ALTQ_HFSC 371.It Dv KAUTH_REQ_NETWORK_ALTQ_PRIQ 372.It Dv KAUTH_REQ_NETWORK_ALTQ_RED 373.It Dv KAUTH_REQ_NETWORK_ALTQ_RIO 374.It Dv KAUTH_REQ_NETWORK_ALTQ_WFQ 375.El 376.It Dv KAUTH_NETWORK_BIND 377Checks if a 378.Xr bind 2 379request is allowed. 380.Pp 381.Ar req 382allows to indicate the type of the request to structure listeners and callers 383easier. 384Supported request types: 385.Bl -tag -width "123456" 386.It Dv KAUTH_REQ_NETWORK_BIND_PRIVPORT 387Checks if binding to a privileged/reserved port is allowed. 388.El 389.It Dv KAUTH_NETWORK_FIREWALL 390Checks if firewall-related operations are allowed. 391.Pp 392.Ar req 393indicates the sub-action, and can be one of the following: 394.Bl -tag -width "123456" 395.It Dv KAUTH_REQ_NETWORK_FIREWALL_FW 396Modification of packet filtering rules. 397.It Dv KAUTH_REQ_NETWORK_FIREWALL_NAT 398Modification of NAT rules. 399.El 400.It Dv KAUTH_NETWORK_FORWSRCRT 401Checks whether status of forwarding of source-routed packets can be modified 402or not. 403.It Dv KAUTH_NETWORK_ROUTE 404Checks if a routing-related request is allowed. 405.Pp 406.Ar arg1 407is the 408.Ft struct rt_msghdr * 409for the request. 410.It Dv KAUTH_NETWORK_SOCKET 411Checks if a 412.Xr socket 2 413request is allowed. 414.Pp 415.Ar req 416allows to indicate the type of the request to structure listeners and callers 417easier. 418Supported request types: 419.Bl -tag -width "123456" 420.It Dv KAUTH_REQ_NETWORK_SOCKET_RAWSOCK 421Checks if opening a raw socket is allowed. 422.El 423.El 424.Ss Machine-dependent Scope 425The machine-dependent (machdep) scope, 426.Dq org.netbsd.kauth.machdep , 427manages machine-dependent authorization requests in the kernel. 428.Pp 429The authorization wrapper for this scope is declared as 430.Pp 431.Ft int Fn kauth_authorize_machdep "kauth_cred_t cred" "kauth_action_t op" \ 432"enum kauth_machdep_req req" "void *arg1" "void *arg2" "void *arg3" 433.Pp 434In this scope, 435.Ar req 436always indicates the machine for the request. 437Below is the list of available request hierarchy. 438.Bl -tag -width "123456" 439.It Dv KAUTH_MACHDEP_X86 440The request is x86 specific. 441.Pp 442Available requests as 443.Ar arg1 444are: 445.Bl -tag -width "123456" 446.It Dv KAUTH_REQ_MACHDEP_X86_IOPL 447Checks if IOPL is allowed to be modified. 448.It Dv KAUTH_REQ_MACHDEP_X86_IOPERM 449Checks if IOPERM is allowed to be modified. 450.It Dv KAUTH_REQ_MACHDEP_X86_MTRR_SET 451Checks if the MTRR can be set. 452.El 453.It Dv KAUTH_MACHDEP_X86_64 454The request is x86-64 specific. 455.Pp 456Available requests as 457.Ar arg1 458are: 459.Bl -tag -width "123456" 460.It Dv KAUTH_REQ_MACHDEP_X86_64_MTRR_GET 461Check if MTRR values can be retrieved. 462.El 463.El 464.Ss Credentials Accessors and Mutators 465.Nm 466has a variety of accessor and mutator routines to handle 467.Ft kauth_cred_t 468objects. 469.Pp 470The following routines can be used to access and modify the user- and 471group-ids in a 472.Ft kauth_cred_t : 473.Bl -tag -width "123456" 474.It Ft uid_t Fn kauth_cred_getuid "kauth_cred_t cred" 475Returns the real user-id from 476.Ar cred . 477.It Ft uid_t Fn kauth_cred_geteuid "kauth_cred_t cred" 478Returns the effective user-id from 479.Ar cred . 480.It Ft uid_t Fn kauth_cred_getsvuid "kauth_cred_t cred" 481Returns the saved user-id from 482.Ar cred . 483.It Ft void Fn kauth_cred_setuid "kauth_cred_t cred" "uid_t uid" 484Sets the real user-id in 485.Ar cred 486to 487.Ar uid . 488.It Ft void Fn kauth_cred_seteuid "kauth_cred_t cred" "uid_t uid" 489Sets the effective user-id in 490.Ar cred 491to 492.Ar uid . 493.It Ft void Fn kauth_cred_setsvuid "kauth_cred_t cred" "uid_t uid" 494Sets the saved user-id in 495.Ar cred 496to 497.Ar uid . 498.It Ft gid_t Fn kauth_cred_getgid "kauth_cred_t cred" 499Returns the real group-id from 500.Ar cred . 501.It Ft gid_t Fn kauth_cred_getegid "kauth_cred_t cred" 502Returns the effective group-id from 503.Ar cred . 504.It Ft gid_t Fn kauth_cred_getsvgid "kauth_cred_t cred" 505Returns the saved group-id from 506.Ar cred . 507.It Ft void Fn kauth_cred_setgid "kauth_cred_t cred" "gid_t gid" 508Sets the real group-id in 509.Ar cred 510to 511.Ar gid . 512.It Ft void Fn kauth_cred_setegid "kauth_cred_t cred" "gid_t gid" 513Sets the effective group-id in 514.Ar cred 515to 516.Ar gid . 517.It Ft void Fn kauth_cred_setsvgid "kauth_cred_t cred" "gid_t gid" 518Sets the saved group-id in 519.Ar cred 520to 521.Ar gid . 522.It Ft u_int Fn kauth_cred_getrefcnt "kauth_cred_t cred" 523Return the reference count for 524.Ar cred . 525.El 526.Pp 527The following routines can be used to access and modify the group 528list in a 529.Ft kauth_cred_t : 530.Bl -tag -width "123456" 531.It Ft int Fn kauth_cred_ismember_gid "kauth_cred_t cred" "gid_t gid" \ 532"int *resultp" 533Checks if the group-id 534.Ar gid 535is a member in the group list of 536.Ar cred . 537.Pp 538If it is, 539.Ar resultp 540will be set to one, otherwise, to zero. 541.Pp 542The return value is an error code, or zero for success. 543.It Ft u_int Fn kauth_cred_ngroups "kauth_cred_t cred" 544Return the number of groups in the group list of 545.Ar cred . 546.It Ft int Fn kauth_cred_group "kauth_cred_t cred" "u_int idx" 547Return the group-id of the group at index 548.Ar idx 549in the group list of 550.Ar cred . 551.It Ft int Fn kauth_cred_setgroups "kauth_cred_t cred" "gid_t *groups" \ 552"size_t ngroups" "uid_t gmuid" 553Copy 554.Ar ngroups 555groups from array pointed to by 556.Ar groups 557to the group list in 558.Ar cred , 559adjusting the number of groups in 560.Ar cred 561appropriately. 562.Pp 563Any groups remaining will be set to an invalid value. 564.Pp 565.Ar gmuid 566is unused for now, and to maintain interface compatibility with the Darwin 567KPI. 568.It Ft int Fn kauth_cred_getgroups "kauth_cred_t cred" "gid_t *groups" \ 569"size_t ngroups" 570Copy 571.Ar ngroups 572groups from the group list in 573.Ar cred 574to the buffer pointed to by 575.Ar groups . 576.Pp 577The number of groups in 578.Ar cred 579will be returned. 580.El 581.Ss Credentials Inheritance and Reference Counting 582.Nm 583provides a KPI for handling a 584.Ft kauth_cred_t 585in shared credentials situations and credential inheritance. 586.Pp 587When a 588.Ft kauth_cred_t 589is first allocated, its reference count is set to 1. 590However, with time, its reference count can grow as more objects (processes, 591LWPs, files, etc.) reference it. 592One such case is during a 593.Xr fork 2 594where the child process and its LWPs inherit the credentials of the parent. 595.Pp 596To prevent freeing a 597.Ft kauth_cred_t 598while it is still referenced, the following routines are available to maintain 599its reference count: 600.Bl -tag -width "123456" 601.It Ft void Fn kauth_cred_hold "kauth_cred_t cred" 602Increases reference count to 603.Ar cred 604by one. 605.It Ft void Fn kauth_cred_free "kauth_cred_t cred" 606Decreases the reference count to 607.Ar cred 608by one. 609.Pp 610If the reference count dropped to zero, the memory used by 611.Ar cred 612will be returned back to the memory pool. 613.El 614.Ss Credentials Memory Management 615Data-structures for credentials, listeners, and scopes are allocated from 616memory pools managed by the 617.Xr pool 9 618subsystem. 619.Pp 620The 621.Ft kauth_cred_t 622objects have their own memory management routines: 623.Bl -tag -width "123456" 624.It Ft kauth_cred_t Fn kauth_cred_alloc "void" 625Allocates a new 626.Ft kauth_cred_t , 627initializes its lock, and sets its reference count to one. 628.El 629.Ss Conversion Routines 630Sometimes it might be necessary to convert a 631.Ft kauth_cred_t 632to a predecessing type, such as 633.Ft struct pcred 634or 635.Ft struct ucred , 636or convert credentials passed from userland as a 637.Ft struct uucred 638to a 639.Ft kauth_cred_t . 640.Pp 641The following routines are available for these cases: 642.Bl -tag -width "123456" 643.It Ft void Fn kauth_cred_topcred "kauth_cred_t cred" "struct pcred *pcred" 644Convert a 645.Ft kauth_cred_t 646to a 647.Ft struct pcred . 648.Pp 649This includes real and saved user- and group-ids and reference count, copied 650from 651.Ar cred . 652The 653.Ar pc_ucred 654field in the destination is set to 655.Dv NULL . 656.It Ft void Fn kauth_cred_toucred "kauth_cred_t cred" "struct ucred *ucred" 657Convert a 658.Ft kauth_cred_t 659to a 660.Ft struct ucred . 661.Pp 662This includes effective user- and group-ids, number of groups, and the group 663list from 664.Ar cred . 665.Pp 666Note that 667.Nm 668will try to copy as many groups as 669.Ar ucred 670can hold. 671.It Ft void Fn kauth_cred_uucvt "kauth_cred_t cred" "const struct uucred *uucred" 672Convert userland's view of credentials to a 673.Ft kauth_cred_t . 674.Pp 675This includes effective user- and group-ids, a number of groups, and a group 676list. 677The reference count is set to one. 678.Pp 679Note that 680.Nm 681will try to copy as many groups as can be held inside a 682.Ft kauth_cred_t . 683The addition of groups will also guarantee order and no duplicates. 684.It Ft int Fn kauth_cred_uucmp "kauth_cred_t cred" "struct uucred *uucred" 685Compares 686.Ar cred 687with the userland credentials in 688.Ar uucred . 689.Pp 690Common values that will be compared are effective user- and group-ids, and 691the group list. 692.El 693.Ss Miscellaneous Routines 694Other routines provided by 695.Nm 696are: 697.Bl -tag -width "123456" 698.It Ft void Fn kauth_cred_clone "kauth_cred_t cred1" "kauth_cred_t cred2" 699Clone credentials from 700.Ar cred1 701to 702.Ar cred2 , 703except for the lock and reference count. 704.Pp 705.It Ft kauth_cred_t Fn kauth_cred_dup "kauth_cred_t cred" 706Duplicate 707.Ar cred . 708.Pp 709What this routine does is call 710.Fn kauth_cred_alloc 711followed by a call to 712.Fn kauth_cred_clone . 713.It Ft kauth_cred_t Fn kauth_cred_copy "kauth_cred_t cred" 714Works like 715.Fn kauth_cred_dup , 716except for a few differences. 717.Pp 718If 719.Ar cred 720already has a reference count of one, it will be returned. 721Otherwise, a new 722.Ft kauth_cred_t 723will be allocated and the credentials from 724.Ar cred 725will be cloned to it. 726Last, a call to 727.Fn kauth_cred_free 728for 729.Ar cred 730will be done. 731.It Ft kauth_cred_t Fn kauth_cred_get "void" 732Return the credentials associated with the current LWP. 733.El 734.Ss Scope Management 735.Nm 736provides routines to manage the creation and deletion of scopes on the 737system. 738.Pp 739Note that the built-in scopes, the 740.Dq generic 741scope and the 742.Dq process 743scope, can't be deleted. 744.Bl -tag -width "123456" 745.It Ft kauth_scope_t Fn kauth_register_scope "const char *id" \ 746"kauth_scope_callback_t cb" "void *cookie" 747Register a new scope on the system. 748.Ar id 749is the name of the scope, usually in reverse DNS-like notation. 750For example, 751.Dq org.netbsd.kauth.myscope . 752.Ar cb 753is the default listener, to which authorization requests for this scope 754will be dispatched to. 755.Ar cookie 756is optional user-data that will be passed to all listeners 757during authorization on the scope. 758.It Ft void Fn kauth_deregister_scope "kauth_scope_t scope" 759Deregister 760.Ar scope 761from the scopes available on the system. 762.El 763.Ss Listener Management 764Listeners in 765.Nm 766are authorization callbacks that are called during an authorization 767request in the scope which they belong to. 768.Pp 769When an authorization request is made, all listeners associated with 770a scope are called to allow, deny, or defer the request. 771.Pp 772It is enough for one listener to deny the request in order for the 773request to be denied; but all listeners are called during an authorization 774process none-the-less. 775All listeners are required to allow the request for it to be granted, 776and in a case where all listeners defer the request -- leaving the decision 777for other listeners -- the request is denied. 778.Pp 779The following KPI is provided for the management of listeners: 780.Bl -tag -width "123456" 781.It Ft kauth_listener_t Fn kauth_listen_scope "const char *id" \ 782"kauth_scope_callback_t cb" "void *cookie" 783Create a new listener on the scope with the id 784.Ar id , 785setting the default listener to 786.Ar cb . 787.\".Ar cookie 788.\"is optional user-data that will be passed to the listener when called 789.\"during an authorization request. 790.It Ft void Fn kauth_unlisten_scope "kauth_listener_t listener" 791Remove 792.Ar listener 793from the scope which it belongs to. 794.Pp 795Effectively what this does is is remove the callback from the chain of 796functions to be called when an authorization request is made, preventing 797from the listener from being entered in the future. 798.El 799.Pp 800.Nm 801provides no means for synchronization within listeners. 802It is the the programmer's responsibility to make sure data used by the 803listener is properly locked during its use, as it can be accessed 804simultaneously from the same listener called multiple times. 805It is also the programmer's responsibility to do garbage collection after 806the listener, possibly freeing any allocated data it used. 807.Pp 808The common method to do the above is by having a reference count to 809each listener. 810On entry to the listener, this reference count should be raised, and 811on exit -- lowered. 812.Pp 813During the removal of a listener, first 814.Fn kauth_scope_unlisten 815should be called to make sure the listener code will not be entered in 816the future. 817Then, the code should wait (possibly sleeping) until the reference count 818drops to zero. 819When that happens, it is safe to do the final cleanup. 820.Pp 821Listeners might sleep, so no locks can be held when calling an authorization 822wrapper. 823.\".Sh EXAMPLES 824.Sh SEE ALSO 825.Xr secmodel 9 826.Sh HISTORY 827The kernel authorization framework first appeared in Mac OS X 10.4. 828.Pp 829The kernel authorization framework in 830.Nx 831first appeared in 832.Nx 4.0 , 833and is a clean-room implementation based on Apple TN2127, available at 834http://developer.apple.com/technotes/tn2005/tn2127.html 835.Sh AUTHORS 836.An Elad Efrat Aq elad@NetBSD.org 837implemented the kernel authorization framework in 838.Nx . 839.Pp 840.An Jason R. Thorpe Aq thorpej@NetBSD.org 841provided guidance and answered questions about the Darwin implementation. 842.Sh ONE MORE THING 843The 844.Nm 845framework is dedicated to Brian Mitchell, one of the most talented people 846I know. 847Thanks for everything. 848