1.\" $NetBSD: kauth.9,v 1.105 2014/03/18 18:20:40 riastradh Exp $ 2.\" 3.\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27.\" 28.Dd July 4, 2012 29.Dt KAUTH 9 30.Os 31.Sh NAME 32.Nm kauth 33.Nd kernel authorization framework 34.Sh SYNOPSIS 35.In sys/kauth.h 36.Sh DESCRIPTION 37.Nm , 38or kernel authorization, is the subsystem managing all authorization requests 39inside the kernel. 40It manages user credentials and rights, and can be used 41to implement a system-wide security policy. 42It allows external modules to plug-in the authorization process. 43.Pp 44.Nm 45introduces some new concepts, namely 46.Dq scopes 47and 48.Dq listeners , 49which will be detailed together with other useful information for kernel 50developers in this document. 51.Ss Types 52Some 53.Nm 54types include the following: 55.Bl -tag -width kauth_listener_t 56.It kauth_cred_t 57Representing credentials that can be associated with an object. 58Includes user- and group-ids (real, effective, and save) as well as group 59membership information. 60.It kauth_scope_t 61Describes a scope. 62.It kauth_listener_t 63Describes a listener. 64.El 65.Ss Terminology 66.Nm 67operates in various 68.Dq scopes , 69each scope holding a group of 70.Dq listeners . 71.Pp 72Each listener works as a callback for when an authorization request within the 73scope is made. 74When such a request is made, all listeners on the scope are passed common 75information such as the credentials of the request context, an identifier for 76the requested operation, and possibly other information as well. 77.Pp 78Every listener examines the passed information and returns its decision 79regarding the requested operation. 80It can either return: 81.Pp 82.Bl -tag -width KAUTH_RESULT_ALLOW -compact 83.It Dv KAUTH_RESULT_ALLOW 84The listener allows the operation. 85.It Dv KAUTH_RESULT_DENY 86The listener denies the operation. 87.It Dv KAUTH_RESULT_DEFER 88The listener defers the decision to other listeners. 89.El 90.Pp 91For an operation to be allowed, at least one listener has to return 92.Dv KAUTH_RESULT_ALLOW 93while no other listener returned 94.Dv KAUTH_RESULT_DENY . 95.Pp 96Scopes manage listeners that operate in the same aspect of the system. 97.Ss Kernel Programming Interface 98.Nm 99exports a KPI that allows developers both of 100.Nx 101and third-party products to authorize requests, access and modify credentials, 102create and remove scopes and listeners, and perform other miscellaneous operations on 103credentials. 104.Ss Authorization Requests 105.Nm 106provides a single authorization request routine, which all authorization 107requests go through. 108This routine dispatches the request to the listeners of the appropriate scope, 109together with four optional user-data variables, and returns the augmented 110result. 111.Pp 112It is declared as 113.Pp 114.Ft int Fn kauth_authorize_action "kauth_scope_t scope" "kauth_cred_t cred" \ 115"kauth_action_t op" "void *arg0" "void *arg1" "void *arg2" "void *arg3" 116.Pp 117An authorization request can return one of two possible values: 118.Bl -tag -width ".It Dv 0 Po zero Pc" -compact 119.It Dv 0 Po zero Pc 120indicates success; operation is allowed. 121.It Dv EPERM 122indicates failure; operation is denied. 123See 124.Xr errno 2 . 125.El 126.Pp 127Each scope has its own authorization wrapper, to make it easy to call from various 128places by eliminating the need to specify the scope and/or cast values. 129The authorization wrappers are detailed in each scope's section. 130.Pp 131.Fn kauth_authorize_action 132has several special cases, when it will always allow the request. 133These are for when the request is issued by the kernel itself (indicated by the 134credentials being either 135.Dv NOCRED 136or 137.Dv FSCRED ) , 138or when there was no definitive decision from any of the listeners (i.e., it 139was not explicitly allowed or denied) and no security model was loaded. 140.Ss Generic Scope 141The generic scope, 142.Dq org.netbsd.kauth.generic , 143manages generic authorization requests in the kernel. 144.Pp 145The authorization wrapper for this scope is declared as 146.Pp 147.Ft int Fn kauth_authorize_generic "kauth_cred_t cred" "kauth_action_t op" \ 148"void *arg0" 149.Pp 150The following operations are available for this scope: 151.Bl -tag -width compact 152.It Dv KAUTH_GENERIC_ISSUSER 153Checks whether the credentials belong to the super-user. 154.Pp 155Using this request is strongly discouraged and should only be done as a 156temporary place-holder, as it is breaking the separation between the 157interface for authorization requests from the back-end implementation. 158.El 159.Ss System Scope 160The system scope, 161.Dq org.netbsd.kauth.system , 162manages authorization requests affecting the entire system. 163.Pp 164The authorization wrapper for this scope is declared as 165.Pp 166.Ft int Fn kauth_authorize_system "kauth_cred_t cred" \ 167"kauth_action_t op" "enum kauth_system_req req" "void *arg1" "void *arg2" \ 168"void *arg3" 169.Pp 170The following requests are available for this scope: 171.Bl -tag -width compact 172.It Dv KAUTH_SYSTEM_ACCOUNTING 173Check if enabling/disabling accounting allowed. 174.It Dv KAUTH_SYSTEM_CHROOT 175.Ar req 176can be any of the following: 177.Bl -tag -width compact 178.It Dv KAUTH_REQ_SYSTEM_CHROOT_CHROOT 179Check if calling 180.Xr chroot 2 181is allowed. 182.It Dv KAUTH_REQ_SYSTEM_CHROOT_FCHROOT 183Check if calling 184.Xr fchroot 2 185is allowed. 186.El 187.It Dv KAUTH_SYSTEM_CPU 188Check CPU-manipulation access. 189.Pp 190.Ar req 191can be any of the following: 192.Bl -tag -width compact 193.It Dv KAUTH_REQ_SYSTEM_CPU_SETSTATE 194Set CPU state, including setting it online or offline. 195.El 196.It Dv KAUTH_SYSTEM_DEBUG 197This request concentrates several debugging-related operations. 198.Ar req 199can be any of the following: 200.Bl -tag -width compact 201.It Dv KAUTH_REQ_SYSTEM_DEBUG_IPKDB 202Check if using 203.Xr ipkdb 4 204is allowed. 205.El 206.It Dv KAUTH_SYSTEM_DEVMAPPER 207Check if operations on the device mapper 208.Xr dm 4 209device are allowed. 210.It Dv KAUTH_SYSTEM_FILEHANDLE 211Check if file handle operations allowed. 212.It Dv KAUTH_SYSTEM_FS_EXTATTR 213Check if starting, stopping, enabling, or disabling extended attributes 214is allowed. 215.Ar arg1 216is a 217.Ft struct mount * 218of the mount-point on which the operation is performed. 219.It Dv KAUTH_SYSTEM_FS_SNAPSHOT 220Check if setting up a file system snapshot is allowed. 221.Ar arg1 222is a 223.Ft struct mount * 224of the mount-point of which the snapshot is taken, and 225.Ar arg2 226is a 227.Ft struct vnode * 228of the vnode where the snapshot is expected to be. 229.It Dv KAUTH_SYSTEM_FS_QUOTA 230Check if file system quota operations are allowed. 231.Pp 232.Ar arg1 233is a 234.Ft struct mount * 235describing the file system mount in question. 236.Ar req 237can be one of the following: 238.Bl -tag -width compact 239.It Dv KAUTH_REQ_SYSTEM_FS_QUOTA_GET 240Check if retrieving quota information is allowed. 241.Pp 242.Ar arg2 243is a 244.Ft uid_t 245with the user-id of the user whose quota information is to be retrieved. 246.It Dv KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF 247Check if turning quota on/off is allowed. 248.It Dv KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE 249Check if managing the quota by setting the quota/quota use is allowed. 250.Pp 251.Ar arg2 252is a 253.Ft uid_t 254with the user-id of the user whose quota/quota use is to be set. 255.It Dv KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT 256Check if bypassing the quota (not enforcing it) is allowed. 257.El 258.It Dv KAUTH_SYSTEM_FS_RESERVEDSPACE 259Check if using the file system reserved space is allowed. 260.It Dv KAUTH_SYSTEM_LFS 261Check if LFS-related operations are allowed. 262.Ar req 263can be one of the following: 264.Bl -tag -width compact 265.It Dv KAUTH_REQ_SYSTEM_LFS_MARKV 266Check if calling 267.Xr lfs_markv 2 268is allowed. 269.It Dv KAUTH_REQ_SYSTEM_LFS_BMAPV 270Check if calling 271.Xr lfs_bmapv 2 272is allowed. 273.It Dv KAUTH_REQ_SYSTEM_LFS_SEGCLEAN 274Check if calling 275.Xr lfs_segclean 2 276is allowed. 277.It Dv KAUTH_REQ_SYSTEM_LFS_SEGWAIT 278Check if calling 279.Xr lfs_segwait 2 280is allowed. 281.It Dv KAUTH_REQ_SYSTEM_LFS_FCNTL 282Check if operations on LFS through 283.Xr fcntl 2 284are allowed. 285.El 286.It Dv KAUTH_SYSTEM_MAP_VA_ZERO 287Check if changing the status of memory mapping of virtual address zero 288is allowed. 289.It Dv KAUTH_SYSTEM_MODULE 290Check if a module request is allowed. 291.Pp 292.Ar arg1 293is the command. 294.It Dv KAUTH_SYSTEM_MKNOD 295Check if creating devices is allowed. 296.It Dv KAUTH_SYSTEM_MOUNT 297Check if mount-related operations are allowed. 298.Pp 299.Ar req 300can be any of the following: 301.Bl -tag -width compact 302.It Dv KAUTH_REQ_SYSTEM_MOUNT_DEVICE 303Check if mounting a device is allowed. 304.Ar arg1 305is a 306.Ft vnode_t * 307of the device, 308.Ar arg2 309is a 310.Ft struct mount * 311with the mount-point, and 312.Ar arg3 313is a 314.Ft mode_t 315with the desired access mode. 316.It Dv KAUTH_REQ_SYSTEM_MOUNT_GET 317Check if retrieving information about a mount is allowed. 318.Ar arg1 319is a 320.Ft struct mount * 321with the mount structure in question, 322.Ar arg2 323is a 324.Ft void * 325with file system specific data, if any. 326.It Dv KAUTH_REQ_SYSTEM_MOUNT_NEW 327Check if mounting a new file system is allowed. 328.Pp 329.Ar arg1 330is the 331.Ft struct vnode * 332on which the file system is to be mounted, 333.Ar arg2 334is an 335.Ft int 336with the mount flags, and 337.Ar arg3 338is a 339.Ft void * 340with file system specific data, if any. 341.It Dv KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT 342Checks if unmounting a file system is allowed. 343.Pp 344.Ar arg1 345is a 346.Ft struct mount * 347with the mount in question. 348.It Dv KAUTH_REQ_SYSTEM_MOUNT_UPDATE 349Checks if updating an existing mount is allowed. 350.Pp 351.Ar arg1 352is the 353.Ft struct mount * 354of the existing mount, 355.Ar arg2 356is an 357.Ft int 358with the new mount flags, and 359.Ar arg3 360is a 361.Ft void * 362with file system specific data, if any. 363.It Dv KAUTH_REQ_SYSTEM_MOUNT_UMAP 364Check if mounting the user and group id remapping file system. 365See 366.Xr mount_umap 8 . 367.El 368.It Dv KAUTH_SYSTEM_MQUEUE 369Check if bypassing permissions on a message queue object are allowed. 370.Ar arg1 371is a 372.Ft mqueue_t * 373describing the message queue. 374.It Dv KAUTH_SYSTEM_PSET 375Check processor-set manipulation. 376.Pp 377.Ar req 378can be any of the following: 379.Bl -tag -width compact 380.It Dv KAUTH_REQ_SYSTEM_PSET_ASSIGN 381Change processor-set processor assignment. 382.It Dv KAUTH_REQ_SYSTEM_PSET_BIND 383Bind an LWP to a processor-set. 384.It Dv KAUTH_REQ_SYSTEM_PSET_CREATE 385Create a processor-set. 386.It Dv KAUTH_REQ_SYSTEM_PSET_DESTROY 387Destroy a processor-set. 388.El 389.It Dv KAUTH_SYSTEM_REBOOT 390Check if rebooting is allowed. 391.It Dv KAUTH_SYSTEM_SETIDCORE 392Check if changing coredump settings for set-id processes is allowed. 393.It Dv KAUTH_SYSTEM_SEMAPHORE 394Check if access to a kernel semaphore is allowed. 395.Ar arg1 396is a 397.Ft ksem_t * 398describing the semaphore. 399.It Dv KAUTH_SYSTEM_SWAPCTL 400Check if privileged 401.Xr swapctl 2 402requests are allowed. 403.It Dv KAUTH_SYSTEM_SYSCTL 404This requests operations related to 405.Xr sysctl 9 . 406.Ar req 407indicates the specific request and can be one of the following: 408.Bl -tag -width compact 409.It Dv KAUTH_REQ_SYSTEM_SYSCTL_ADD 410Check if adding a 411.Xr sysctl 9 412node is allowed. 413.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DELETE 414Check if deleting a 415.Xr sysctl 9 416node is allowed. 417.It Dv KAUTH_REQ_SYSTEM_SYSCTL_DESC 418Check if adding description to a 419.Xr sysctl 9 420node is allowed. 421.It Dv KAUTH_REQ_SYSTEM_SYSCTL_MODIFY 422Check if modifying a 423.Xr sysctl 9 424node variable that doesn't have a custom sysctl helper function is allowed. 425.Pp 426This request might be deprecated in the future. 427.It Dv KAUTH_REQ_SYSTEM_SYSCTL_PRVT 428Check if accessing private 429.Xr sysctl 9 430nodes is allowed. 431.El 432.It Dv KAUTH_SYSTEM_SYSVIPC 433Check SysV IPC related operations. 434.Ar req 435indicates the specific request and can be one of the following: 436.Bl -tag -width compact 437.It Dv KAUTH_REQ_SYSTEM_SYSVIPC_BYPASS 438Check if bypassing a SysV IPC object's permissions is allowed. 439.Ar arg1 440is a 441.Ft struct ipc_perm * 442with the object's permissions and 443.Ar arg2 444is a 445.Ft mode_t 446indicating the requested access mode. 447.It Dv KAUTH_REQ_SYSTEM_SYSVIPC_SHM_LOCK 448Check if shared memory locking is allowed. 449.It Dv KAUTH_REQ_SYSTEM_SYSVIPC_SHM_UNLOCK 450Check if shared memory unlocking is allowed. 451.It Dv KAUTH_REQ_SYSTEM_SYSVIPC_MSGQ_OVERSIZE 452Check if oversizing a message queue is allowed. 453.Ar arg1 454is a 455.Ft msglen_t 456indicating the size of the message buffer, and 457.Ar arg2 458is a 459.Ft msglen_t 460indicating the size of the message queue. 461.El 462.It Dv KAUTH_SYSTEM_TIME 463This request groups time-related operations. 464.Ar req 465can be any of the following: 466.Bl -tag -width compact 467.It Dv KAUTH_REQ_SYSTEM_TIME_ADJTIME 468Check if changing the time using 469.Xr adjtime 2 470is allowed. 471.It Dv KAUTH_REQ_SYSTEM_TIME_NTPADJTIME 472Check if setting the time using 473.Xr ntp_adjtime 2 474is allowed. 475.It Dv KAUTH_REQ_SYSTEM_TIME_SYSTEM 476Check if changing the time (usually via 477.Xr settimeofday 2 ) 478is allowed. 479.Pp 480.Ar arg1 481is a 482.Ft struct timespec * 483with the new time, 484.Ar arg2 485is a 486.Ft struct timeval * 487with the delta from the current time, 488.Ar arg3 489is a 490.Ft bool 491indicating whether the caller is a device context (e.g. 492.Pa /dev/clockctl ) 493or not. 494.It Dv KAUTH_REQ_SYSTEM_TIME_RTCOFFSET 495Check if changing the RTC offset is allowed. 496.It Dv KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS 497Check if manipulating timecounters is allowed. 498.El 499.It Dv KAUTH_SYSTEM_VERIEXEC 500Check if operations on the 501.Xr veriexec 8 502subsystem are allowed. 503.Ar req 504can be one of the following: 505.Bl -tag -width compact 506.It Dv KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS 507Check if access to the 508.Xr veriexec 8 509subsystem is allowed. 510.It Dv KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY 511Check if modifications to the state of 512.Xr veriexec 8 513are allowed. 514.El 515.El 516.Ss Process Scope 517The process scope, 518.Dq org.netbsd.kauth.process , 519manages authorization requests related to processes in the system. 520.Pp 521The authorization wrapper for this scope is declared as 522.Pp 523.Ft int Fn kauth_authorize_process "kauth_cred_t cred" \ 524"kauth_action_t op" "struct proc *p" "void *arg1" "void *arg2" \ 525"void *arg3" 526.Pp 527The following operations are available for this scope: 528.Bl -tag -width compact 529.It Dv KAUTH_PROCESS_KTRACE 530Checks whether an object with one set of credentials can 531.Xr ktrace 1 532another process 533.Ar p , 534possibly with a different set of credentials. 535.Pp 536If 537.Ar arg1 538is 539.Dv KAUTH_REQ_PROCESS_KTRACE_PERSISTENT , 540this checks if persistent tracing can be done. 541Persistent tracing maintains the trace across a set-user-id/set-group-id 542.Xr exec 3 , 543and normally requires privileged credentials. 544.It Dv KAUTH_PROCESS_PROCFS 545Checks whether object with passed credentials can use 546.Em procfs 547to access process 548.Ar p . 549.Pp 550.Ar arg1 551is the 552.Ft struct pfsnode * 553for the target element in the target process, and 554.Ar arg2 555is the access type, which can be either 556.Dv KAUTH_REQ_PROCESS_PROCFS_CTL , 557.Dv KAUTH_REQ_PROCESS_PROCFS_READ , 558.Dv KAUTH_REQ_PROCESS_PROCFS_RW , 559or 560.Dv KAUTH_REQ_PROCESS_PROCFS_WRITE , 561indicating 562.Em control , 563.Em read , 564.Em read-write , 565or 566.Em write 567access respectively. 568.It Dv KAUTH_PROCESS_PTRACE 569Checks whether object with passed credentials can use 570.Xr ptrace 2 571to access process 572.Ar p . 573.Pp 574.Ar arg1 575is the 576.Xr ptrace 2 577command. 578.It Dv KAUTH_PROCESS_CANSEE 579Checks whether an object with one set of credentials can access 580information about another process, possibly with a different set of 581credentials. 582.Pp 583.Ar arg1 584indicates the class of information being viewed, and can be either of 585.Dv KAUTH_REQ_PROCESS_CANSEE_ARGS , 586.Dv KAUTH_REQ_PROCESS_CANSEE_ENTRY , 587.Dv KAUTH_REQ_PROCESS_CANSEE_ENV , 588or 589.Dv KAUTH_REQ_PROCESS_CANSEE_OPENFILES . 590.It Dv KAUTH_PROCESS_SCHEDULER_GETAFFINITY 591Checks whether viewing the scheduler affinity is allowed. 592.It Dv KAUTH_PROCESS_SCHEDULER_SETAFFINITY 593Checks whether setting the scheduler affinity is allowed. 594.It Dv KAUTH_PROCESS_SCHEDULER_GETPARAM 595Checks whether viewing the scheduler policy and parameters is allowed. 596.It Dv KAUTH_PROCESS_SCHEDULER_SETPARAM 597Checks whether modifying the scheduler policy and parameters is allowed. 598.It Dv KAUTH_PROCESS_SIGNAL 599Checks whether an object with one set of credentials can post signals 600to another process. 601.Pp 602.Ar p 603is the process the signal is being posted to, and 604.Ar arg1 605is the signal number. 606.It Dv KAUTH_PROCESS_CORENAME 607Controls access to process corename. 608.Pp 609.Ar arg1 610can be 611.Dv KAUTH_REQ_PROCESS_CORENAME_GET 612or 613.Dv KAUTH_REQ_PROCESS_CORENAME_SET , 614indicating access to read or write the process' corename, respectively. 615.Pp 616When modifying the corename, 617.Ar arg2 618holds the new corename to be used. 619.It Dv KAUTH_PROCESS_FORK 620Checks if the process can fork. 621.Ar arg1 622is an 623.Ft int 624indicating how many processes exist on the system at the time of the check. 625.It Dv KAUTH_PROCESS_KEVENT_FILTER 626Checks whether setting a process 627.Xr kevent 2 628filter is allowed. 629.Pp 630.It Dv KAUTH_PROCESS_NICE 631Checks whether the 632.Em nice 633value of 634.Ar p 635can be changed to 636.Ar arg1 . 637.It Dv KAUTH_PROCESS_RLIMIT 638Controls access to process resource limits. 639.Pp 640.Ar arg1 641can be 642.Dv KAUTH_REQ_PROCESS_RLIMIT_GET 643or 644.Dv KAUTH_REQ_PROCESS_RLIMIT_SET , 645indicating access to read or write the process' resource limits, respectively, or 646.Dv KAUTH_REQ_PROCESS_RLIMIT_BYPASS 647to check if the limit enforcement can be bypassed. 648.Pp 649When modifying resource limits, 650.Ar arg2 651is the new value to be used and 652.Ar arg3 653indicates which resource limit is to be modified. 654.It Dv KAUTH_PROCESS_SETID 655Check if changing the user- or group-ids, groups, or login-name for 656.Ar p 657is allowed. 658.It Dv KAUTH_PROCESS_STOPFLAG 659Check if setting the stop flags for 660.Xr exec 3 , 661.Xr exit 3 , 662and 663.Xr fork 2 664is allowed. 665.Pp 666.Ar arg1 667indicates the flag, and can be either 668.Dv P_STOPEXEC , 669.Dv P_STOPEXIT , 670or 671.Dv P_STOPFORK 672respectively. 673.El 674.Ss Network Scope 675The network scope, 676.Dq org.netbsd.kauth.network , 677manages networking-related authorization requests in the kernel. 678.Pp 679The authorization wrapper for this scope is declared as 680.Pp 681.Ft int Fn kauth_authorize_network "kauth_cred_t cred" "kauth_action_t op" \ 682"enum kauth_network_req req" "void *arg1" "void *arg2" "void *arg3" 683.Pp 684The following operations are available for this scope: 685.Bl -tag -width compact 686.It Dv KAUTH_NETWORK_ALTQ 687Checks if an ALTQ operation is allowed. 688.Pp 689.Ar req 690indicates the ALTQ subsystem in question, and can be one of the following: 691.Pp 692.Bl -tag -compact -width compact 693.It Dv KAUTH_REQ_NETWORK_ALTQ_AFMAP 694.It Dv KAUTH_REQ_NETWORK_ALTQ_BLUE 695.It Dv KAUTH_REQ_NETWORK_ALTQ_CBQ 696.It Dv KAUTH_REQ_NETWORK_ALTQ_CDNR 697.It Dv KAUTH_REQ_NETWORK_ALTQ_CONF 698.It Dv KAUTH_REQ_NETWORK_ALTQ_FIFOQ 699.It Dv KAUTH_REQ_NETWORK_ALTQ_HFSC 700.It Dv KAUTH_REQ_NETWORK_ALTQ_JOBS 701.It Dv KAUTH_REQ_NETWORK_ALTQ_PRIQ 702.It Dv KAUTH_REQ_NETWORK_ALTQ_RED 703.It Dv KAUTH_REQ_NETWORK_ALTQ_RIO 704.It Dv KAUTH_REQ_NETWORK_ALTQ_WFQ 705.El 706.It Dv KAUTH_NETWORK_BIND 707Checks if a 708.Xr bind 2 709request is allowed. 710.Pp 711.Ar req 712allows to indicate the type of the request to structure listeners and callers 713easier. 714Supported request types: 715.Bl -tag -width compact 716.It Dv KAUTH_REQ_NETWORK_BIND_PORT 717Checks if binding to a non-privileged/reserved port is allowed. 718.It Dv KAUTH_REQ_NETWORK_BIND_PRIVPORT 719Checks if binding to a privileged/reserved port is allowed. 720.El 721.It Dv KAUTH_NETWORK_FIREWALL 722Checks if firewall-related operations are allowed. 723.Pp 724.Ar req 725indicates the sub-action, and can be one of the following: 726.Bl -tag -width compact 727.It Dv KAUTH_REQ_NETWORK_FIREWALL_FW 728Modification of packet filtering rules. 729.It Dv KAUTH_REQ_NETWORK_FIREWALL_NAT 730Modification of NAT rules. 731.El 732.It Dv KAUTH_NETWORK_INTERFACE 733Checks if network interface-related operations are allowed. 734.Pp 735.Ar arg1 736is (optionally) the 737.Ft struct ifnet * 738associated with the interface. 739.Ar arg2 740is (optionally) an 741.Ft int 742describing the interface-specific operation. 743.Ar arg3 744is (optionally) a pointer to the interface-specific request structure. 745.Ar req 746indicates the sub-action, and can be one of the following: 747.Bl -tag -width compact 748.It Dv KAUTH_REQ_NETWORK_INTERFACE_GET 749Check if retrieving information from the device is allowed. 750.It Dv KAUTH_REQ_NETWORK_INTERFACE_GETPRIV 751Check if retrieving privileged information from the device is allowed. 752.It Dv KAUTH_REQ_NETWORK_INTERFACE_SET 753Check if setting parameters on the device is allowed. 754.It Dv KAUTH_REQ_NETWORK_INTERFACE_SETPRIV 755Check if setting privileged parameters on the device is allowed. 756.It Dv KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE 757Check if manipulating the firmware on a network interface device is allowed. 758.El 759.Pp 760Note that unless the 761.Ft struct ifnet * 762for the interface was passed in 763.Ar arg1 , 764there's no way to tell what structure 765.Ar arg3 766is. 767.It Dv KAUTH_NETWORK_INTERFACE_BRIDGE 768Check if operations performed on the 769.Xr bridge 4 770network interface are allowed. 771.Pp 772.Ar req 773can be one of the following: 774.Bl -tag -width compact 775.It Dv KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_GETPRIV 776Check if getting privileges parameters is allowed. 777.It Dv KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_SETPRIV 778Check if setting privileges parameters is allowed. 779.El 780.It Dv KAUTH_NETWORK_INTERFACE_PPP 781Checks if operations performed on the 782.Xr ppp 4 783network interface are allowed. 784.Pp 785.Ar req 786can be one of the following: 787.Bl -tag -width compact 788.It Dv KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD 789Checks if adding and enabling a 790.Xr ppp 4 791interface to the system is allowed. 792.El 793.It Dv KAUTH_NETWORK_INTERFACE_PVC 794Check if operations performed on a PVC device (e.g. 795.Xr midway 4 ) 796are allowed. 797.Ar req 798can be one of the following: 799.Bl -tag -width compact 800.It Dv KAUTH_REQ_NETWORK_INTERFACE_PVC_ADD 801Check if adding a PVC device is allowed. 802.El 803.It Dv KAUTH_NETWORK_INTERFACE_SLIP 804Checks if operations performed on the 805.Xr sl 4 806network interface are allowed. 807.Pp 808.Ar req 809can be one of the following: 810.Bl -tag -width compact 811.It Dv KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD 812Checks if adding and enabling a 813.Xr sl 4 814interface to the system is allowed. 815.El 816.It Dv KAUTH_NETWORK_INTERFACE_STRIP 817Checks if operations performed on the 818.Xr strip 4 819network interface are allowed. 820.Pp 821.Ar req 822can be one of the following: 823.Bl -tag -width compact 824.It Dv KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD 825Check if adding and enabling a 826.Xr strip 4 827interface to the system is allowed. 828.El 829.It Dv KAUTH_NETWORK_INTERFACE_TUN 830Checks if operations performed on the 831.Xr tun 4 832network interface are allowed. 833.Pp 834.Ar req 835can be one of the following: 836.Bl -tag -width compact 837.It Dv KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD 838Checks if adding and enabling a 839.Xr tun 4 840interface to the system is allowed. 841.El 842.It Dv KAUTH_NETWORK_IPSEC 843Check if operations related to 844.Xr ipsec 4 845connections are allowed. 846.Ar req 847can be one of the following: 848.Bl -tag -width compact 849.It Dv KAUTH_REQ_NETWORK_IPSEC_BYPASS 850Check if bypassing 851.Xr ipsec 4 852policy is allowed. 853.El 854.It Dv KAUTH_NETWORK_IPV6 855Check if IPv6-specific operations are allowed. 856.Ar req 857can be one of the following: 858.Bl -tag -width compact 859.It Dv KAUTH_REQ_NETWORK_IPV6_HOPBYHOP 860Check if setting hop-by-hop packet options is allowed. 861.It Dv KAUTH_REQ_NETWORK_IPV6_JOIN_MULTICAST 862Check if joining a multicast network is allowed. 863.El 864.It Dv KAUTH_NETWORK_FORWSRCRT 865Checks whether status of forwarding of source-routed packets can be modified 866or not. 867.It Dv KAUTH_NETWORK_NFS 868Check if an NFS related operation is allowed. 869.Pp 870.Ar req 871can be any of the following: 872.Bl -tag -width compact 873.It Dv KAUTH_REQ_NETWORK_NFS_EXPORT 874Check if modifying the NFS export table is allowed. 875.It Dv KAUTH_REQ_NETWORK_NFS_SVC 876Check if access to the NFS 877.Xr nfssvc 2 878syscall is allowed. 879.El 880.It Dv KAUTH_NETWORK_ROUTE 881Checks if a routing-related request is allowed. 882.Pp 883.Ar arg1 884is the 885.Ft struct rt_msghdr * 886for the request. 887.It Dv KAUTH_NETWORK_SMB 888Check if operations related to SMB are allowed. 889.Pp 890.Ar req 891can be one of the following: 892.Bl -tag -width compact 893.It Dv KAUTH_REQ_NETWORK_SMB_SHARE_ACCESS 894Check if accessing an SMB share is allowed. 895.Pp 896.Ar arg1 897is a 898.Ft struct smb_share * 899describing the SMB share, and 900.Ar arg2 901is a 902.Ft mode_t 903with the desired access mode. 904.It Dv KAUTH_REQ_NETWORK_SMB_SHARE_CREATE 905Check if creating an SMB share is allowed. 906.Pp 907.Ar arg1 908is a 909.Ft struct smb_sharespec * 910describing the share to be created. 911.It Dv KAUTH_REQ_NETWORK_SMB_VC_ACCESS 912Check if accessing an SMB VC is allowed. 913.Pp 914.Ar arg1 915is a 916.Ft struct smb_vc * 917describing the SMB VC, and 918.Ar arg2 919is a 920.Ft mode_t 921with the desired access mode. 922.It Dv KAUTH_REQ_NETWORK_SMB_VC_CREATE 923Check if creating an SMB VC is allowed. 924.Pp 925.Ar arg1 926is a 927.Ft struct smb_vcspec * 928describing the VC to be created. 929.El 930.It Dv KAUTH_NETWORK_SOCKET 931Checks if a socket related operation is allowed. 932.Pp 933.Ar req 934allows to indicate the type of the request to structure listeners and callers 935easier. 936Supported request types: 937.Bl -tag -width compact 938.It Dv KAUTH_REQ_NETWORK_SOCKET_RAWSOCK 939Checks if opening a raw socket is allowed. 940.It Dv KAUTH_REQ_NETWORK_SOCKET_OPEN 941Checks if opening a socket is allowed. 942.Ar arg1 , arg2 , 943and 944.Ar arg3 945are all 946.Ft int 947parameters describing the domain, socket type, and protocol, 948respectively. 949.It Dv KAUTH_REQ_NETWORK_SOCKET_CANSEE 950Checks if looking at the socket passed is allowed. 951.Pp 952.Ar arg1 953is a 954.Ft struct socket * 955describing the socket. 956.It Dv KAUTH_REQ_NETWORK_SOCKET_DROP 957Checks if a connection can be dropped. 958.Pp 959.Ar arg1 960is a 961.Ft struct socket * 962describing the socket. 963.It Dv KAUTH_REQ_NETWORK_SOCKET_SETPRIV 964Checks if setting privileged socket options is allowed. 965.Pp 966.Ar arg1 967is a 968.Ft struct socket * 969describing the socket, 970.Ar arg2 971is a 972.Ft u_long 973describing the socket option. 974.El 975.El 976.Ss Machine-dependent Scope 977The machine-dependent (machdep) scope, 978.Dq org.netbsd.kauth.machdep , 979manages machine-dependent authorization requests in the kernel. 980.Pp 981The authorization wrapper for this scope is declared as 982.Pp 983.Ft int Fn kauth_authorize_machdep "kauth_cred_t cred" "kauth_action_t op" \ 984"void *arg0" "void *arg1" "void *arg2" "void *arg3" 985.Pp 986The actions on this scope provide a set that may or may not affect all 987platforms. 988Below is a list of available actions, along with which platforms are affected 989by each. 990.Bl -tag -width compact 991.It Dv KAUTH_MACHDEP_CACHEFLUSH 992Request to flush the whole CPU cache. 993Affects 994.Em m68k 995Linux emulation. 996.It Dv KAUTH_MACHDEP_CPU_UCODE_APPLY 997Request to apply a CPU microcode to a CPU. 998This is related to 999.Em CPU_UCODE , 1000see 1001.Xr options 4 . 1002Affects 1003.Em i386 1004and 1005.Em xen . 1006.It Dv KAUTH_MACHDEP_IOPERM_GET 1007Request to get the I/O permission level. 1008Affects 1009.Em amd64 , 1010.Em i386 , 1011.Em xen . 1012.It Dv KAUTH_MACHDEP_IOPERM_SET 1013Request to set the I/O permission level. 1014Affects 1015.Em amd64 , 1016.Em i386 , 1017.Em xen . 1018.It Dv KAUTH_MACHDEP_IOPL 1019Request to set the I/O privilege level. 1020Affects 1021.Em amd64 , 1022.Em i386 , 1023.Em xen . 1024.It Dv KAUTH_MACHDEP_LDT_GET 1025Request to get the LDT (local descriptor table). 1026Affects 1027.Em amd64 , 1028.Em i386 , 1029.Em xen . 1030.It Dv KAUTH_MACHDEP_LDT_SET 1031Request to set the LDT (local descriptor table). 1032Affects 1033.Em amd64 , 1034.Em i386 , 1035.Em xen . 1036.It Dv KAUTH_MACHDEP_MTRR_GET 1037Request to get the MTRR (memory type range registers). 1038Affects 1039.Em amd64 , 1040.Em i386 , 1041.Em xen . 1042.It Dv KAUTH_MACHDEP_MTRR_SET 1043Request to set the MTRR (memory type range registers). 1044Affects 1045.Em amd64 , 1046.Em i386 , 1047.Em xen . 1048.It Dv KAUTH_MACHDEP_NVRAM 1049Request to access (read/write) the NVRAM. 1050Affects 1051.Em i386 . 1052.It Dv KAUTH_MACHDEP_PXG 1053Request to start or stop the 1054.Xr pxg 4 1055CPU. 1056.Ar arg0 1057is 1058.Ft true 1059or 1060.Ft false , 1061respectively. 1062Affects 1063.Em pmax . 1064.It Dv KAUTH_MACHDEP_UNMANAGEDMEM 1065Request to access unmanaged memory. 1066Affects 1067.Em alpha , 1068.Em amd64 , 1069.Em arm , 1070.Em i386 , 1071.Em powerpc , 1072.Em sh3 , 1073.Em vax , 1074.Em xen . 1075.El 1076.Ss Device Scope 1077The device scope, 1078.Dq org.netbsd.kauth.device , 1079manages authorization requests related to devices on the system. 1080Devices can be, for example, terminals, tape drives, Bluetooth accessories, and 1081any other hardware. 1082Network devices specifically are handled by the 1083.Em network 1084scope. 1085.Pp 1086In addition to the standard authorization wrapper: 1087.Pp 1088.Ft int Fn kauth_authorize_device "kauth_cred_t cred" "kauth_action_t op" \ 1089"void *arg0" "void *arg1" "void *arg2" "void *arg3" 1090.Pp 1091this scope provides authorization wrappers for various device types. 1092.Pp 1093.Ft int Fn kauth_authorize_device_tty "kauth_cred_t cred" "kauth_action_t op" \ 1094"struct tty *tty" 1095.Pp 1096Authorizes requests for 1097.Em terminal devices 1098on the system. 1099The third argument, 1100.Ar tty , 1101is the terminal device in question. 1102It is passed to the listener as 1103.Ar arg0 . 1104The second argument, 1105.Ar op , 1106is the action and can be one of the following: 1107.Bl -tag -width compact 1108.It Dv KAUTH_DEVICE_TTY_OPEN 1109Open the terminal device pointed to by 1110.Ar tty . 1111.It Dv KAUTH_DEVICE_TTY_PRIVSET 1112Set privileged settings on the terminal device pointed to by 1113.Ar tty . 1114.It Dv KAUTH_DEVICE_TTY_STI 1115Use the 1116.Dq TIOCSTI 1117device 1118.Xr ioctl 2 , 1119allowing to inject characters into the terminal buffer, simulating terminal 1120input. 1121.It Dv KAUTH_DEVICE_TTY_VIRTUAL 1122Control the virtual console. 1123.Ar tty 1124is the current console 1125.Xr tty 4 . 1126.El 1127.Pp 1128.Ft int Fn kauth_authorize_device_spec "kauth_cred_t cred" \ 1129"enum kauth_device_req req" "struct vnode *vp" 1130.Pp 1131Authorizes requests for 1132.Em special files , 1133usually disk devices, but also direct memory access, on the system. 1134.Pp 1135It passes 1136.Dv KAUTH_DEVICE_RAWIO_SPEC 1137as the action to the listener, and accepts two arguments. 1138.Ar req , 1139passed to the listener as 1140.Ar arg0 , 1141is access requested, and can be one of 1142.Dv KAUTH_REQ_DEVICE_RAWIO_SPEC_READ , 1143.Dv KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE , 1144or 1145.Dv KAUTH_REQ_DEVICE_RAWIO_SPEC_RW , 1146representing read, write, or both read/write access respectively. 1147.Ar vp 1148is the vnode of the special file in question, and is passed to the listener as 1149.Ar arg1 . 1150.Pp 1151Keep in mind that it is the responsibility of the security model developer to 1152check whether the underlying device is a disk or the system memory, using 1153.Fn iskmemdev : 1154.Bd -literal -offset indent 1155if ((vp-\*[Gt]v_type == VCHR) \*[Am]\*[Am] 1156 iskmemdev(vp-\*[Gt]v_un.vu_specinfo-\*[Gt]si_rdev)) 1157 /* system memory access */ 1158.Ed 1159.Pp 1160.Ft int Fn kauth_authorize_device_passthru "kauth_cred_t cred" "dev_t dev" \ 1161"u_long mode" "void *data" 1162.Pp 1163Authorizes hardware 1164.Em passthru 1165requests, or user commands passed directly to the hardware. 1166These have the potential of resulting in direct disk and/or memory access. 1167.Pp 1168It passes 1169.Dv KAUTH_DEVICE_RAWIO_PASSTHRU 1170as the action to the listener, and accepts three arguments. 1171.Ar dev , 1172passed as 1173.Ar arg1 1174to the listener, is the device for which the request is made. 1175.Ar mode , 1176passed as 1177.Ar arg0 1178to the listener, is a generic representation of the access mode requested. 1179It can be one or more (binary-OR'd) of the following: 1180.Pp 1181.Bl -tag -width compact -offset indent -compact 1182.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 1183.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 1184.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 1185.It KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 1186.El 1187.Pp 1188.Ar data , 1189passed as 1190.Ar arg2 1191to the listener, is device-specific data that may be associated with the 1192request. 1193.Ss Bluetooth Devices 1194Authorizing actions relevant to Bluetooth devices is done using the standard 1195authorization wrapper, with the following actions: 1196.Pp 1197.Bl -tag -width compact 1198.It KAUTH_DEVICE_BLUETOOTH_BCSP 1199Check if operations on a 1200.Xr bcsp 4 1201device are allowed. 1202.Pp 1203.Ar arg0 1204is an 1205.Ft enum kauth_device_req 1206with one of the following values: 1207.Bl -tag -width compact 1208.It Dv KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD 1209Check if adding and enabling a 1210.Xr bcsp 4 1211device is allowed. 1212.El 1213.It KAUTH_DEVICE_BLUETOOTH_BTUART 1214Check if operations on a 1215.Xr btuart 4 1216device are allowed. 1217.Pp 1218.Ar arg0 1219is an 1220.Ft enum kauth_device_req 1221with one of the following values: 1222.Bl -tag -width compact 1223.It Dv KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD 1224Check if adding and enabling a 1225.Xr btuart 4 1226device is allowed. 1227.El 1228.It KAUTH_DEVICE_BLUETOOTH_RECV 1229Check if a packet can be received from the device. 1230.Pp 1231.Ar arg0 1232is the packet type. 1233For 1234.Dv HCI_CMD_PKT 1235packets, 1236.Ar arg1 1237is the opcode, for 1238.Dv HCI_EVENT_PKT 1239packets, 1240.Ar arg1 1241is the event ID, and for 1242.Dv HCI_ACLDATA_PKT 1243or 1244.Dv HCI_SCODATA_PKT 1245packets, 1246.Ar arg1 1247is the connection handle. 1248.It KAUTH_DEVICE_BLUETOOTH_SEND 1249Check if a packet can be sent to the device. 1250.Pp 1251.Ar arg0 1252is a 1253.Ft struct hci_unit * 1254describing the HCI unit, 1255.Ar arg1 1256is a 1257.Ft hci_cmd_hdr_t * 1258describing the packet header. 1259.It KAUTH_DEVICE_BLUETOOTH_SETPRIV 1260Check if privileged settings can be changed. 1261.Pp 1262.Ar arg0 1263is a 1264.Ft struct hci_unit * 1265describing the HCI unit, 1266.Ar arg1 1267is a 1268.Ft struct btreq * 1269describing the request, and 1270.Ar arg2 1271is a 1272.Ft u_long 1273describing the command. 1274.El 1275.Ss Kernel random device 1276Authorization actions relevant to the kernel random device, 1277.Xr rnd 4 , 1278is done using the standard authorization wrapper, with the following actions: 1279.Pp 1280.Bl -tag -width compact 1281.It KAUTH_DEVICE_RND_ADDDATA 1282Check if adding data to the entropy pool is allowed. 1283.It KAUTH_DEVICE_RND_GETPRIV 1284Check if privileged settings and information can be retrieved. 1285.It KAUTH_DEVICE_RND_SETPRIV 1286Check if privileged settings can be changed. 1287.El 1288.Ss Wscons devices 1289Authorization actions relevant to 1290.Xr wscons 4 1291are done using the standard authorization wrapper, with the following actions: 1292.Pp 1293.Bl -tag -width compact 1294.It KAUTH_DEVICE_WSCONS_KEYBOARD_BELL 1295Check if setting the default bell is allowed. 1296.It KAUTH_DEVICE_WSCONS_KEYBOARD_KEYREPEAT 1297Check if setting the default key-repeat is allowed. 1298.El 1299.Ss Vnode Scope 1300The vnode scope, 1301.Dq org.netbsd.kauth.vnode , 1302authorizes operations made on vnodes representing file system objects. 1303.Pp 1304The authorization wrapper for this scope is declared as 1305.Pp 1306.Ft int Fn kauth_authorize_vnode "kauth_cred_t cred" "kauth_action_t action" \ 1307"vnode_t *vp" "vnode_t *dvp" "int fs_decision" 1308.Pp 1309This scope is heavily used in file system code and can potentially affect 1310system-wide performance. 1311Therefore, there are several things developers should know when using it. 1312.Pp 1313First, the 1314.Ar action 1315parameter is a bit-mask and multiple actions can be binary-OR'd and authorized 1316in a single call. 1317Two helper functions help generate the 1318.Ar action 1319value for a couple of common cases: translating file system access to a 1320.Xr kauth 9 1321action and checking access to a vnode. 1322.Pp 1323The first, 1324.Fn kauth_mode_to_action "mode_t access_mode" , 1325and returns a 1326.Ft kauth_action_t 1327representing the desired access modes. 1328Another function, 1329.Fn kauth_access_action "mode_t access_mode" "enum vtype v_type" \ 1330"mode_t file_mode" , 1331returns a 1332.Ft kauth_action_t 1333suitable for use in many file system 1334.Xr access 2 1335implementations. 1336It calls the aforementioned 1337.Fn kauth_mode_to_action , 1338but before returning also adds the 1339.Dv KAUTH_VNODE_IS_EXEC 1340flag if needed. 1341See below for the meaning of this flag and how its necessity is 1342determined. 1343.Pp 1344Second, it is recommended to be very careful with adding listeners on this 1345scope. 1346A special parameter, 1347.Ar fs_decision , 1348allows different file systems to instrument different policies without adding 1349their own listener. 1350This parameter is special because it also serves as a fall-back decision when 1351no 1352.Xr secmodel 9 1353is present to prevent a fail-open scenario. 1354It can take either an 1355.Xr errno 2 1356value or 1357.Dq KAUTH_VNODE_REMOTEFS , 1358indicating that the file system on which the authorization is made is remote 1359and cannot provide us with a fall-back decision. 1360In this case, 1361.Xr kauth 9 1362can only short-circuit the request but the file system will have the last 1363word if there is no definitive allow or deny decision. 1364.Pp 1365The value of 1366.Ar fs_decision 1367can be hard-coded or determined by calling an internal function implementing a 1368policy. 1369For the latter case, 1370.Xr genfs 9 1371provides a set of helper functions that implement common policies that 1372file systems can use. 1373The calling convention is as follows: 1374.Bd -literal -offset indent 1375int error; 1376 1377error = kauth_authorize_vnode(..., genfs_can_foo(...)); 1378.Ed 1379.Pp 1380Actions on the vnode scope are of two types: operations and flags. 1381An operation is similar in concept to actions on other scopes in the sense 1382that it represents an operation desired by the caller. 1383A flag is an indicator of additional information about the vnode that 1384a file system can set in order to allow the listener to make a more 1385informed decision. 1386.Pp 1387Actions include the following: 1388.Bl -tag -width compact -offset indent 1389.It KAUTH_VNODE_READ_DATA 1390Read file data. 1391.It KAUTH_VNODE_LIST_DIRECTORY 1392Read directory listing. 1393Identical to the above. 1394.It KAUTH_VNODE_WRITE_DATA 1395Write file data. 1396.It KAUTH_VNODE_ADD_FILE 1397Add a file to a directory. 1398Identical to the above. 1399.It KAUTH_VNODE_EXECUTE 1400Execute a file. 1401.It KAUTH_VNODE_SEARCH 1402Search (enter) a directory. 1403Identical to the above. 1404.It KAUTH_VNODE_DELETE 1405Delete a file. 1406.It KAUTH_VNODE_APPEND_DATA 1407Append data to a file. 1408.It KAUTH_VNODE_ADD_SUBDIRECTORY 1409Add a subdirectory to a directory. 1410Identical to the above. 1411.It KAUTH_VNODE_READ_TIMES 1412Read the created, last accessed, and last modified times of a file. 1413.It KAUTH_VNODE_WRITE_TIMES 1414Modify the created, last accessed, or last modified times of a file. 1415.It KAUTH_VNODE_READ_FLAGS 1416Read file flags. 1417.It KAUTH_VNODE_WRITE_FLAGS 1418Modify file flags. 1419.It KAUTH_VNODE_READ_SYSFLAGS 1420Read file system flags. 1421.It KAUTH_VNODE_WRITE_SYSFLAGS 1422Modify file system flags. 1423.It KAUTH_VNODE_RENAME 1424Rename a file. 1425.It KAUTH_VNODE_CHANGE_OWNERSHIP 1426Change ownership of a file. 1427.It KAUTH_VNODE_READ_SECURITY 1428Read the permissions of a file. 1429.It KAUTH_VNODE_WRITE_SECURITY 1430Change the permissions of a file, for example by using 1431.Xr chmod 2 . 1432.It KAUTH_VNODE_READ_ATTRIBUTES 1433Read attributes of a file. 1434.It KAUTH_VNODE_WRITE_ATTRIBUTES 1435Modify attributes of a file. 1436.It KAUTH_VNODE_READ_EXTATTRIBUTES 1437Read extended attributes of a file. 1438.It KAUTH_VNODE_WRITE_EXTATTRIBUTES 1439Modify extended attributes of a file. 1440.It KAUTH_VNODE_RETAIN_SUID 1441Check if retaining the set-user-id bit on files after 1442.Xr chown 2 1443is allowed. 1444.It KAUTH_VNODE_RETAIN_SGID 1445Check if retaining the set-group-id bit on files after 1446.Xr chown 2 1447is allowed. 1448.It KAUTH_VNODE_REVOKE 1449Revoke a file. 1450.El 1451.Pp 1452Flags include the following: 1453.Bl -tag -width compact -offset indent 1454.It KAUTH_VNODE_IS_EXEC 1455The vnode is executable. 1456.Pp 1457The macro 1458.Fn FS_OBJECT_CAN_EXEC 1459can be used to help determine if this flag should be set. 1460This macro determines a file system object to be executable if it is a 1461directory (in which case we say it is searchable) or if it has at least one 1462executable bit set in its mode. 1463.Pp 1464Setting this flag helps a listener know that a vnode is executable and is used 1465in implementing privileged access to files and directories while maintaining 1466semantics that prevent execution until a file is marked as an executable. 1467An example for using this in listener code is: 1468.Bd -literal -offset indent 1469if (privileged) { 1470 /* Always allow read/write; execute only if executable. */ 1471 if ((action & KAUTH_VNODE_EXECUTE) == 0 || 1472 (action & KAUTH_VNODE_IS_EXEC)) 1473 result = KAUTH_RESULT_ALLOW; 1474} 1475.Ed 1476.Pp 1477Finally, the vnode scope authorization wrapper returns 1478.Er EACCES 1479in case of an error, to maintain file system semantics. 1480File systems can override this value if needed. 1481.It KAUTH_VNODE_HAS_SYSFLAGS 1482The file system object represented by the vnode has system flags set. 1483.It KAUTH_VNODE_ACCESS 1484The authorization is advisory only and no actual operation is to be 1485performed. 1486This is not implemented. 1487.El 1488.Ss Credentials Scope 1489The credentials scope, 1490.Dq org.netbsd.kauth.cred , 1491is a special scope used internally by the 1492.Nm 1493framework to provide hooking to credential-related operations. 1494.Pp 1495It is a 1496.Dq notify-only 1497scope, allowing hooking operations such as initialization of new credentials, 1498credential inheritance during a fork, and copying and freeing of credentials. 1499The main purpose for this scope is to give a security model a way to control 1500the aforementioned operations, especially in cases where the credentials 1501hold security model-private data. 1502.Pp 1503Notifications are made using the following function, which is internal to 1504.Nm : 1505.Pp 1506.Ft int Fn kauth_cred_hook "kauth_cred_t cred" "kauth_action_t action" \ 1507"void *arg0" "void *arg1" 1508.Pp 1509With the following actions: 1510.Bl -tag -width compact 1511.It Dv KAUTH_CRED_COPY 1512The credentials are being copied. 1513.Ar cred 1514are the credentials of the lwp context doing the copy, and 1515.Ar arg0 1516and 1517.Ar arg1 1518are both 1519.Ft kauth_cred_t 1520representing the 1521.Dq from 1522and 1523.Dq to 1524credentials, respectively. 1525.It Dv KAUTH_CRED_FORK 1526The credentials are being inherited from a parent to a child process during a 1527fork. 1528.Pp 1529.Ar cred 1530are the credentials of the lwp context doing the fork, and 1531.Ar arg0 1532and 1533.Ar arg1 1534are both 1535.Ft struct proc * 1536of the parent and child processes, respectively. 1537.It Dv KAUTH_CRED_CHROOT 1538The credentials in cred belong to a process whose root directory is 1539changed through 1540.Xr change_root 9 1541.Pp 1542.Ar Arg0 1543is the new 1544.Ft struct cwdinfo * 1545of the process. 1546.It Dv KAUTH_CRED_FREE 1547The credentials in 1548.Ar cred 1549are being freed. 1550.It Dv KAUTH_CRED_INIT 1551The credentials in 1552.Ar cred 1553are being initialized. 1554.El 1555.Pp 1556Since this is a notify-only scope, all listeners are required to return 1557.Dv KAUTH_RESULT_ALLOW . 1558.Ss Credentials Accessors and Mutators 1559.Nm 1560has a variety of accessor and mutator routines to handle 1561.Ft kauth_cred_t 1562objects. 1563.Pp 1564The following routines can be used to access and modify the user- and 1565group-ids in a 1566.Ft kauth_cred_t : 1567.Bl -tag -width compact 1568.It Ft uid_t Fn kauth_cred_getuid "kauth_cred_t cred" 1569Returns the real user-id from 1570.Ar cred . 1571.It Ft uid_t Fn kauth_cred_geteuid "kauth_cred_t cred" 1572Returns the effective user-id from 1573.Ar cred . 1574.It Ft uid_t Fn kauth_cred_getsvuid "kauth_cred_t cred" 1575Returns the saved user-id from 1576.Ar cred . 1577.It Ft void Fn kauth_cred_setuid "kauth_cred_t cred" "uid_t uid" 1578Sets the real user-id in 1579.Ar cred 1580to 1581.Ar uid . 1582.It Ft void Fn kauth_cred_seteuid "kauth_cred_t cred" "uid_t uid" 1583Sets the effective user-id in 1584.Ar cred 1585to 1586.Ar uid . 1587.It Ft void Fn kauth_cred_setsvuid "kauth_cred_t cred" "uid_t uid" 1588Sets the saved user-id in 1589.Ar cred 1590to 1591.Ar uid . 1592.It Ft gid_t Fn kauth_cred_getgid "kauth_cred_t cred" 1593Returns the real group-id from 1594.Ar cred . 1595.It Ft gid_t Fn kauth_cred_getegid "kauth_cred_t cred" 1596Returns the effective group-id from 1597.Ar cred . 1598.It Ft gid_t Fn kauth_cred_getsvgid "kauth_cred_t cred" 1599Returns the saved group-id from 1600.Ar cred . 1601.It Ft void Fn kauth_cred_setgid "kauth_cred_t cred" "gid_t gid" 1602Sets the real group-id in 1603.Ar cred 1604to 1605.Ar gid . 1606.It Ft void Fn kauth_cred_setegid "kauth_cred_t cred" "gid_t gid" 1607Sets the effective group-id in 1608.Ar cred 1609to 1610.Ar gid . 1611.It Ft void Fn kauth_cred_setsvgid "kauth_cred_t cred" "gid_t gid" 1612Sets the saved group-id in 1613.Ar cred 1614to 1615.Ar gid . 1616.It Ft u_int Fn kauth_cred_getrefcnt "kauth_cred_t cred" 1617Return the reference count for 1618.Ar cred . 1619.El 1620.Pp 1621The following routines can be used to access and modify the group 1622list in a 1623.Ft kauth_cred_t : 1624.Bl -tag -width compact 1625.It Ft int Fn kauth_cred_ismember_gid "kauth_cred_t cred" "gid_t gid" \ 1626"int *resultp" 1627Checks if the group-id 1628.Ar gid 1629is a member in the group list of 1630.Ar cred . 1631.Pp 1632If it is, 1633.Ar resultp 1634will be set to one, otherwise, to zero. 1635.Pp 1636The return value is an error code, or zero for success. 1637.It Ft u_int Fn kauth_cred_ngroups "kauth_cred_t cred" 1638Return the number of groups in the group list of 1639.Ar cred . 1640.It Ft gid_t Fn kauth_cred_group "kauth_cred_t cred" "u_int idx" 1641Return the group-id of the group at index 1642.Ar idx 1643in the group list of 1644.Ar cred . 1645.It Ft int Fn kauth_cred_setgroups "kauth_cred_t cred" "const gid_t *groups" \ 1646"size_t ngroups" "uid_t gmuid" "enum uio_seg seg" 1647Copy 1648.Ar ngroups 1649groups from array pointed to by 1650.Ar groups 1651to the group list in 1652.Ar cred , 1653adjusting the number of groups in 1654.Ar cred 1655appropriately. 1656.Ar seg 1657should be either 1658.Dv UIO_USERSPACE 1659or 1660.Dv UIO_SYSSPACE 1661indicating whether 1662.Ar groups 1663is a user or kernel space address. 1664.Pp 1665Any groups remaining will be set to an invalid value. 1666.Pp 1667.Ar gmuid 1668is unused for now, and to maintain interface compatibility with the Darwin 1669KPI. 1670.Pp 1671The return value is an error code, or zero for success. 1672.It Ft int Fn kauth_cred_getgroups "kauth_cred_t cred" "gid_t *groups" \ 1673"size_t ngroups" "enum uio_seg seg" 1674Copy 1675.Ar ngroups 1676groups from the group list in 1677.Ar cred 1678to the buffer pointed to by 1679.Ar groups . 1680.Ar seg 1681should be either 1682.Dv UIO_USERSPACE 1683or 1684.Dv UIO_SYSSPACE 1685indicating whether 1686.Ar groups 1687is a user or kernel space address. 1688.Pp 1689The return value is an error code, or zero for success. 1690.El 1691.Ss Credential Private Data 1692.Nm 1693provides an interface to allow attaching security-model private data to 1694credentials. 1695.Pp 1696The use of this interface has two parts that can be divided to direct and 1697indirect control of the private-data. 1698Directly controlling the private data is done by using the below routines, 1699while the indirect control is often dictated by events such as process 1700fork, and is handled by listening on the credentials scope (see above). 1701.Pp 1702Attaching private data to credentials works by registering a key to serve 1703as a unique identifier, distinguishing various sets of private data that 1704may be associated with the credentials. 1705Registering, and deregistering, a key is done by using these routines: 1706.Pp 1707.Bl -tag -width compact 1708.It Ft int Fn kauth_register_key "secmodel_t sm" "kauth_key_t *keyp" 1709Register new key for private data for security model 1710.Ar sm . 1711.Ar keyp 1712will be used to return the key to be used in further calls. 1713.Pp 1714The function returns 0 on success and an error code (see 1715.Xr errno 2 ) 1716on failure. 1717.It Ft int Fn kauth_deregister_key "kauth_key_t key" 1718Deregister private data key 1719.Ar key . 1720.El 1721.Pp 1722Once registered, private data may be manipulated by the following routines: 1723.Bl -tag -width compact 1724.It Ft void Fn kauth_cred_setdata "kauth_cred_t cred" "kauth_key_t key" \ 1725"void *data" 1726Set private data for 1727.Ar key 1728in 1729.Ar cred 1730to be 1731.Ar data . 1732.It Ft void * Fn kauth_cred_getdata "kauth_cred_t cred" "kauth_key_t key" 1733Retrieve private data for 1734.Ar key 1735in 1736.Ar cred . 1737.El 1738.Pp 1739Note that it is required to use the above routines every time the private 1740data is changed, i.e., using 1741.Fn kauth_cred_getdata 1742and later modifying the private data should be accompanied by a call to 1743.Fn kauth_cred_setdata 1744with the 1745.Dq new 1746private data. 1747.Ss Credential Inheritance and Reference Counting 1748.Nm 1749provides an interface for handling shared credentials. 1750.Pp 1751When a 1752.Ft kauth_cred_t 1753is first allocated, its reference count is set to 1. 1754However, with time, its reference count can grow as more objects (processes, 1755LWPs, files, etc.) reference it. 1756.Pp 1757The following routines are available for managing credentials reference 1758counting: 1759.Bl -tag -width compact 1760.It Ft void Fn kauth_cred_hold "kauth_cred_t cred" 1761Increases reference count to 1762.Ar cred 1763by one. 1764.It Ft void Fn kauth_cred_free "kauth_cred_t cred" 1765Decreases the reference count to 1766.Ar cred 1767by one. 1768.Pp 1769If the reference count dropped to zero, the memory used by 1770.Ar cred 1771will be freed. 1772.El 1773.Pp 1774Credential inheritance happens during a 1775.Xr fork 2 , 1776and is handled by the following function: 1777.Pp 1778.Ft void Fn kauth_proc_fork "struct proc *parent" "struct proc *child" 1779.Pp 1780When called, it references the parent's credentials from the child, 1781and calls the credentials scope's hook with the 1782.Dv KAUTH_CRED_FORK 1783action to allow security model-specific handling of the inheritance 1784to take place. 1785.Ss Credentials Memory Management 1786Data-structures for credentials, listeners, and scopes are allocated from 1787memory pools managed by the 1788.Xr pool 9 1789subsystem. 1790.Pp 1791The 1792.Ft kauth_cred_t 1793objects have their own memory management routines: 1794.Bl -tag -width compact 1795.It Ft kauth_cred_t Fn kauth_cred_alloc "void" 1796Allocates a new 1797.Ft kauth_cred_t , 1798initializes its lock, and sets its reference count to one. 1799.El 1800.Ss Conversion Routines 1801Sometimes it might be necessary to convert a 1802.Ft kauth_cred_t 1803to userland's view of credentials, a 1804.Ft struct uucred , 1805or vice versa. 1806.Pp 1807The following routines are available for these cases: 1808.Bl -tag -width compact 1809.It Ft void Fn kauth_uucred_to_cred "kauth_cred_t cred" "const struct uucred *uucred" 1810Convert userland's view of credentials to a 1811.Ft kauth_cred_t . 1812.Pp 1813This includes effective user- and group-ids, a number of groups, and a group 1814list. 1815The reference count is set to one. 1816.Pp 1817Note that 1818.Nm 1819will try to copy as many groups as can be held inside a 1820.Ft kauth_cred_t . 1821.It Ft void Fn kauth_cred_to_uucred "struct uucred *uucred" "const kauth_cred_t cred" 1822Convert 1823.Ft kauth_cred_t 1824to userland's view of credentials. 1825.Pp 1826This includes effective user- and group-ids, a number of groups, and a group 1827list. 1828.Pp 1829Note that 1830.Nm 1831will try to copy as many groups as can be held inside a 1832.Ft struct uucred . 1833.It Ft int Fn kauth_cred_uucmp "kauth_cred_t cred" "struct uucred *uucred" 1834Compares 1835.Ar cred 1836with the userland credentials in 1837.Ar uucred . 1838.Pp 1839Common values that will be compared are effective user- and group-ids, and 1840the group list. 1841.El 1842.Ss Miscellaneous Routines 1843Other routines provided by 1844.Nm 1845are: 1846.Bl -tag -width compact 1847.It Ft void Fn kauth_cred_clone "kauth_cred_t cred1" "kauth_cred_t cred2" 1848Clone credentials from 1849.Ar cred1 1850to 1851.Ar cred2 , 1852except for the lock and reference count. 1853.Pp 1854.It Ft kauth_cred_t Fn kauth_cred_dup "kauth_cred_t cred" 1855Duplicate 1856.Ar cred . 1857.Pp 1858What this routine does is call 1859.Fn kauth_cred_alloc 1860followed by a call to 1861.Fn kauth_cred_clone . 1862.It Ft kauth_cred_t Fn kauth_cred_copy "kauth_cred_t cred" 1863Works like 1864.Fn kauth_cred_dup , 1865except for a few differences. 1866.Pp 1867If 1868.Ar cred 1869already has a reference count of one, it will be returned. 1870Otherwise, a new 1871.Ft kauth_cred_t 1872will be allocated and the credentials from 1873.Ar cred 1874will be cloned to it. 1875Last, a call to 1876.Fn kauth_cred_free 1877for 1878.Ar cred 1879will be done. 1880.It Ft kauth_cred_t Fn kauth_cred_get "void" 1881Return the credentials associated with the current LWP. 1882.El 1883.Ss Scope Management 1884.Nm 1885provides routines to manage the creation and deletion of scopes on the 1886system. 1887.Pp 1888Note that the built-in scopes, the 1889.Dq generic 1890scope and the 1891.Dq process 1892scope, can't be deleted. 1893.Bl -tag -width compact 1894.It Ft kauth_scope_t Fn kauth_register_scope "const char *id" \ 1895"kauth_scope_callback_t cb" "void *cookie" 1896Register a new scope on the system. 1897.Ar id 1898is the name of the scope, usually in reverse DNS-like notation. 1899For example, 1900.Dq org.netbsd.kauth.myscope . 1901.Ar cb 1902is the default listener, to which authorization requests for this scope 1903will be dispatched to. 1904.Ar cookie 1905is optional user-data that will be passed to all listeners 1906during authorization on the scope. 1907.It Ft void Fn kauth_deregister_scope "kauth_scope_t scope" 1908Deregister 1909.Ar scope 1910from the scopes available on the system, and free the 1911.Ft kauth_scope_t 1912object 1913.Ar scope . 1914.El 1915.Ss Listener Management 1916Listeners in 1917.Nm 1918are authorization callbacks that are called during an authorization 1919request in the scope which they belong to. 1920.Pp 1921When an authorization request is made, all listeners associated with 1922a scope are called to allow, deny, or defer the request. 1923.Pp 1924It is enough for one listener to deny the request in order for the 1925request to be denied; but all listeners are called during an authorization 1926process none-the-less. 1927All listeners are required to allow the request for it to be granted, 1928and in a case where all listeners defer the request -- leaving the decision 1929for other listeners -- the request is denied. 1930.Pp 1931The following KPI is provided for the management of listeners: 1932.Bl -tag -width compact 1933.It Ft kauth_listener_t Fn kauth_listen_scope "const char *id" \ 1934"kauth_scope_callback_t cb" "void *cookie" 1935Create a new listener on the scope with the id 1936.Ar id , 1937setting the default listener to 1938.Ar cb . 1939.Ar cookie 1940is optional user-data that will be passed to the listener when called 1941during an authorization request. 1942.It Ft void Fn kauth_unlisten_scope "kauth_listener_t listener" 1943Removes 1944.Ar listener 1945from the scope which it belongs to, ensuring it won't be called again, 1946and frees the 1947.Ft kauth_listener_t 1948object 1949.Ar listener . 1950.El 1951.Pp 1952.Nm 1953provides no means for synchronization within listeners. 1954It is the programmer's responsibility to make sure data used by the 1955listener is properly locked during its use, as it can be accessed 1956simultaneously from the same listener called multiple times. 1957It is also the programmer's responsibility to do garbage collection after 1958the listener, possibly freeing any allocated data it used. 1959.Pp 1960The common method to do the above is by having a reference count to 1961each listener. 1962On entry to the listener, this reference count should be raised, and 1963on exit -- lowered. 1964.Pp 1965During the removal of a listener, first 1966.Fn kauth_scope_unlisten 1967should be called to make sure the listener code will not be entered in 1968the future. 1969Then, the code should wait (possibly sleeping) until the reference count 1970drops to zero. 1971When that happens, it is safe to do the final cleanup. 1972.Pp 1973Listeners might sleep, so no locks can be held when calling an authorization 1974wrapper. 1975.Sh EXAMPLES 1976Older code had no abstraction of the security model, so most privilege 1977checks looked like this: 1978.Bd -literal -offset indent 1979if (suser(cred, \*[Am]acflag) == 0) 1980 /* allow privileged operation */ 1981.Ed 1982.Pp 1983Using the new interface, you must ask for a specific privilege explicitly. 1984For example, checking whether it is possible to open a socket would look 1985something like this: 1986.Bd -literal -offset indent 1987if (kauth_authorize_network(cred, KAUTH_NETWORK_SOCKET, 1988 KAUTH_REQ_NETWORK_SOCKET_OPEN, PF_INET, SOCK_STREAM, 1989 IPPROTO_TCP) == 0) 1990 /* allow opening the socket */ 1991.Ed 1992.Pp 1993Note that the 1994.Em securelevel 1995implications were also integrated into the 1996.Nm 1997framework so you don't have to note anything special in the call to the 1998authorization wrapper, but rather just have to make sure the security 1999model handles the request as you expect it to. 2000.Pp 2001To do that you can just 2002.Xr grep 1 2003in the relevant security model directory and have a look at the code. 2004.Sh EXTENDING KAUTH 2005Although 2006.Nm 2007provides a large set of both detailed and more or less generic requests, 2008it might be needed eventually to introduce more scopes, actions, or 2009requests. 2010.Pp 2011Adding a new scope should happen only when an entire subsystem is 2012introduced and it is assumed other parts of the kernel may want to 2013interfere with its inner-workings. 2014When a subsystem that has the potential of impacting the security 2015of the system is introduced, existing security modules must be updated 2016to also handle actions on the newly added scope. 2017.Pp 2018New actions should be added when sets of operations not covered at all 2019belong in an already existing scope. 2020.Pp 2021Requests (or sub-actions) can be added as subsets of existing actions 2022when an operation that belongs in an already covered area is introduced. 2023.Pp 2024Note that all additions should include updates to this manual, the 2025security models shipped with 2026.Nx , 2027and the example skeleton security model. 2028.Sh SEE ALSO 2029.Xr secmodel 9 2030.Sh HISTORY 2031The kernel authorization framework first appeared in Mac OS X 10.4. 2032.Pp 2033The kernel authorization framework in 2034.Nx 2035first appeared in 2036.Nx 4.0 , 2037and is a clean-room implementation based on Apple TN2127, available at 2038.Lk http://developer.apple.com/technotes/tn2005/tn2127.html 2039.Sh NOTES 2040As 2041.Nm 2042in 2043.Nx 2044is still under active development, it is likely that the ABI, and possibly the 2045API, will differ between 2046.Nx 2047versions. 2048Developers are to take notice of this fact in order to avoid building code 2049that expects one version of the ABI and running it in a system with a different 2050one. 2051.Sh AUTHORS 2052.An Elad Efrat Aq Mt elad@NetBSD.org 2053implemented the kernel authorization framework in 2054.Nx . 2055.Pp 2056.An Jason R. Thorpe Aq Mt thorpej@NetBSD.org 2057provided guidance and answered questions about the Darwin implementation. 2058