Date: Thu, 14 Sep 2006 22:49:19 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Max Laier <max@love2party.net> Cc: trustedbsd-discuss@trustedbsd.org, freebsd-arch@freebsd.org Subject: Re: New in-kernel privilege API: priv(9) Message-ID: <20060914224516.G53301@fledge.watson.org> In-Reply-To: <200609140253.06818.max@love2party.net> References: <20060913150912.J1823@fledge.watson.org> <200609140253.06818.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Sep 2006, Max Laier wrote: > I tried to read with care and understand the reason behind not using flags - > at least partly. I didn't find any in your email so: Wouldn't it make > sense to mask off at least part of it to encode some general decision into > the privilege value directly. A la: > > #define ALLOW_IN_JAIL 0x8000000 > > #define PRIV_KTRACE (42 | ALLOW_IN_JAIL) > > Right now, prison_priv_check() is looking rather scary to me. If something > else wants to decide on finer granularity, alright, but in my opinion it's > easier (more obvious) to keep the "normal" information in the .h file where > the privileges are defined and described - as we are aiming for > centralization of the decision and information. On top of that the caller > could mask off ALLOW_IN_JAIL if they think it's not appropriate in a special > use case of the privilege. I'd like to avoid encoding the behavior of the jail policy into the privilege mechanism if we can avoid it, or changes in prison policy won't be properly propagated to binary modules, etc. Imagine for a moment that the prison_check_priv() function contained none of the commented out privileges, which will be its final state, and with comments explaining which particular clusters of privileges are allowed (and are safe) in Jail. The commented out privileges listed there are primarily so I can make sure all the privileges are in sync during development, and not required in the long term. > On an aside, it would be nice to have "optional" privilege checks i.e. in pf > we trust the file permissions on /dev/pf (plus securelevel) to decide if > someone is allowed to fiddle with the firewall. It would be nice to have a > way of allowing MAC (or whatever) to decide this - without disallowing > non-root use as long as the policy doesn't care. In code that would mean a > "if (flags & SUSER_OPTIONAL) return (0);" just before the "if > (suser_enabled) ..."-block. The policy would have it's go in > mac_priv_check() above. Just to make sure I understnad what you're describing: you would like a way to tell the kernel that specific privileges can have a relaxed policy for granting the privilege? I.e., throwing a global flag that grants the privilege to arbitrary credentials, rather than just root credentials? Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914224516.G53301>