Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Put procfs policy back in the subsystem.
details: https://anonhg.NetBSD.org/src/rev/ac4f7ae08127
branches: trunk
changeset: 747829:ac4f7ae08127
user: elad <elad%NetBSD.org@localhost>
date: Fri Oct 02 23:00:02 2009 +0000
description:
Put procfs policy back in the subsystem.
diffstat:
sys/miscfs/procfs/procfs_vfsops.c | 50 +++++++++++++++++++++++++++++++++++-
sys/secmodel/suser/secmodel_suser.c | 33 ++---------------------
2 files changed, 52 insertions(+), 31 deletions(-)
diffs (148 lines):
diff -r 3fd8d9be2d46 -r ac4f7ae08127 sys/miscfs/procfs/procfs_vfsops.c
--- a/sys/miscfs/procfs/procfs_vfsops.c Fri Oct 02 22:46:18 2009 +0000
+++ b/sys/miscfs/procfs/procfs_vfsops.c Fri Oct 02 23:00:02 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: procfs_vfsops.c,v 1.83 2009/03/15 17:22:38 cegger Exp $ */
+/* $NetBSD: procfs_vfsops.c,v 1.84 2009/10/02 23:00:02 elad Exp $ */
/*
* Copyright (c) 1993
@@ -76,7 +76,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: procfs_vfsops.c,v 1.83 2009/03/15 17:22:38 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: procfs_vfsops.c,v 1.84 2009/10/02 23:00:02 elad Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -110,6 +110,8 @@
static struct sysctllog *procfs_sysctl_log;
+static kauth_listener_t procfs_listener;
+
/*
* VFS Operations.
*
@@ -305,6 +307,45 @@
};
static int
+procfs_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct proc *p;
+ struct pfsnode *pfs;
+ enum kauth_process_req req;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+ p = arg0;
+ pfs = arg1;
+ req = (enum kauth_process_req)(unsigned long)arg2;
+
+ if (action != KAUTH_PROCESS_PROCFS)
+ return result;
+
+ /* Privileged; let secmodel handle that. */
+ if (req == KAUTH_REQ_PROCESS_PROCFS_CTL)
+ return result;
+
+ switch (pfs->pfs_type) {
+ case PFSregs:
+ case PFSfpregs:
+ case PFSmem:
+ if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
+ ISSET(p->p_flag, PK_SUGID))
+ break;
+
+ /*FALLTHROUGH*/
+ default:
+ result = KAUTH_RESULT_ALLOW;
+ break;
+ }
+
+ return result;
+}
+
+
+static int
procfs_modcmd(modcmd_t cmd, void *arg)
{
int error;
@@ -330,12 +371,17 @@
* one more instance of the "number to vfs" mapping problem,
* but "12" is the order as taken from sys/mount.h
*/
+
+ procfs_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
+ procfs_listener_cb, NULL);
+
break;
case MODULE_CMD_FINI:
error = vfs_detach(&procfs_vfsops);
if (error != 0)
break;
sysctl_teardown(&procfs_sysctl_log);
+ kauth_unlisten_scope(procfs_listener);
break;
default:
error = ENOTTY;
diff -r 3fd8d9be2d46 -r ac4f7ae08127 sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c Fri Oct 02 22:46:18 2009 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c Fri Oct 02 23:00:02 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.8 2009/10/02 23:00:02 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.8 2009/10/02 23:00:02 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -574,36 +574,11 @@
break;
- case KAUTH_PROCESS_PROCFS: {
- enum kauth_process_req req = (enum kauth_process_req)arg2;
- struct pfsnode *pfs = arg1;
-
- if (isroot) {
+ case KAUTH_PROCESS_PROCFS:
+ if (isroot)
result = KAUTH_RESULT_ALLOW;
- break;
- }
-
- if (req == KAUTH_REQ_PROCESS_PROCFS_CTL) {
- break;
- }
-
- switch (pfs->pfs_type) {
- case PFSregs:
- case PFSfpregs:
- case PFSmem:
- if (kauth_cred_getuid(cred) !=
- kauth_cred_getuid(p->p_cred) ||
- ISSET(p->p_flag, PK_SUGID)) {
- break;
- }
- /*FALLTHROUGH*/
- default:
- result = KAUTH_RESULT_ALLOW;
- break;
- }
break;
- }
case KAUTH_PROCESS_PTRACE:
if (isroot)
Home |
Main Index |
Thread Index |
Old Index