INTRO (9) NetBSD Kernel Developer's Manual INTRO (9) NAME ...

KAUTH (9) NetBSD Kernel Developer’s Manual KAUTH (9)Device ScopeThe device scope, “org.netbsd.kauth.device”, manages authorization requests related to devices on the system.Devices can be, for example, terminals, tape drives, and any other hardware. Network devices specificallyare handled by the network scope.In addition to the standard authorization wrapper:int kauth_authorize_device(kauth_cred_t cred , kauth_action_t op , void∗arg0 , void ∗arg1 , void ∗arg2 , void ∗arg3)this scope provides authorization wrappers for various device types.int kauth_authorize_device_tty(kauth_cred_t cred , kauth_action_t op ,struct tty ∗tty)Authorizes requests for terminal devices on the system. The third argument, tty, isthe terminal device inquestion. It is passed to the listener as arg0. The second argument, op, isthe action and can be one of thefollowing:KAUTH_DEVICE_TTY_OPENOpen the terminal device pointed to by tty.KAUTH_DEVICE_TTY_PRIVSETSet privileged settings on the terminal device pointed to by tty.KAUTH_DEVICE_TTY_STIUse the “TIOCSTI” device ioctl(2), allowing to inject characters into the terminal buffer,simulating terminal input.int kauth_authorize_device_spec(kauth_cred_t cred , enum kauth_device_reqreq , struct vnode ∗vp)Authorizes requests for special files, usually disk devices, but also direct memory access, on the system.It passes KAUTH_DEVICE_RAWIO_SPEC as the action to the listener, and accepts two arguments. req,passed to the listener as arg0, is access requested, and can be one ofKAUTH_REQ_DEVICE_RAWIO_SPEC_READ, KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE, orKAUTH_REQ_DEVICE_RAWIO_SPEC_RW, representing read, write, or both read/write access respectively.vp is the vnode of the special file in question, and is passed to the listener as arg1.Keep in mind that it is the responsibility of the security model developer to check whether the underlyingdevice is a disk or the system memory, using iskmemdev():if ((vp->v_type == VCHR) &&iskmemdev(vp->v_un.vu_specinfo->si_rdev))/∗ system memory access ∗/int kauth_authorize_device_passthru(kauth_cred_t cred , dev_t dev , u_longmode , void ∗data)Authorizes hardware passthru requests, or user commands passed directly to the hardware. These have thepotential of resulting in direct disk and/or memory access.It passes KAUTH_DEVICE_RAWIO_PASSTHRU as the action to the listener, and accepts three arguments.dev, passed as arg1 to the listener, isthe device for which the request is made. mode, passed as arg0 tothe listener, isageneric representation of the access mode requested. It can be one or more (binary-OR’d) ofthe following:NetBSD 3.0 February 28, 2008 9