[src/trunk]: src Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential s...

[cheusov <cheusov%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/befac6c91c7c
branches:  trunk
changeset: 779912:befac6c91c7c
user:      cheusov <cheusov%NetBSD.org@localhost>
date:      Wed Jun 27 12:28:28 2012 +0000

description:
Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential scope.
Reviewed and approved by elad@.

diffstat:

 share/man/man9/kauth.9  |  11 ++++++++++-
 sys/kern/kern_auth.c    |  10 ++++++++--
 sys/kern/vfs_syscalls.c |  17 +++++++++++++++--
 sys/sys/kauth.h         |   8 ++++++--
 4 files changed, 39 insertions(+), 7 deletions(-)

diffs (135 lines):

diff -r 45a1006434cf -r befac6c91c7c share/man/man9/kauth.9
--- a/share/man/man9/kauth.9    Wed Jun 27 11:53:36 2012 +0000
+++ b/share/man/man9/kauth.9    Wed Jun 27 12:28:28 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.100 2012/03/17 14:42:13 njoly Exp $
+.\" $NetBSD: kauth.9,v 1.101 2012/06/27 12:28:28 cheusov Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
 .\" All rights reserved.
@@ -1534,6 +1534,15 @@
 are both
 .Ft struct proc *
 of the parent and child processes, respectively.
+.It Dv KAUTH_CRED_CHROOT
+The credentials in cred belong to a process whose root directory is
+changed through
+.Xr change_root 9
+.Pp
+.Ar Arg0
+is the new
+.Ft struct cwdinfo *
+of the process.
 .It Dv KAUTH_CRED_FREE
 The credentials in
 .Ar cred
diff -r 45a1006434cf -r befac6c91c7c sys/kern/kern_auth.c
--- a/sys/kern/kern_auth.c      Wed Jun 27 11:53:36 2012 +0000
+++ b/sys/kern/kern_auth.c      Wed Jun 27 12:28:28 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kern_auth.c,v 1.70 2012/06/27 10:06:55 cheusov Exp $ */
+/* $NetBSD: kern_auth.c,v 1.71 2012/06/27 12:28:28 cheusov Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.70 2012/06/27 10:06:55 cheusov Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.71 2012/06/27 12:28:28 cheusov Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -260,6 +260,12 @@
            child);
 }
 
+void
+kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi)
+{
+       kauth_cred_hook(cred, KAUTH_CRED_CHROOT, cwdi, NULL);
+}
+
 uid_t
 kauth_cred_getuid(kauth_cred_t cred)
 {
diff -r 45a1006434cf -r befac6c91c7c sys/kern/vfs_syscalls.c
--- a/sys/kern/vfs_syscalls.c   Wed Jun 27 11:53:36 2012 +0000
+++ b/sys/kern/vfs_syscalls.c   Wed Jun 27 12:28:28 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: vfs_syscalls.c,v 1.456 2012/05/08 08:44:49 gson Exp $  */
+/*     $NetBSD: vfs_syscalls.c,v 1.457 2012/06/27 12:28:28 cheusov Exp $       */
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -70,7 +70,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.456 2012/05/08 08:44:49 gson Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.457 2012/06/27 12:28:28 cheusov Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_fileassoc.h"
@@ -1398,6 +1398,10 @@
 void
 change_root(struct cwdinfo *cwdi, struct vnode *vp, struct lwp *l)
 {
+       struct proc *p = l->l_proc;
+       kauth_cred_t ncred;
+
+       ncred = kauth_cred_alloc();
 
        rw_enter(&cwdi->cwdi_lock, RW_WRITER);
        if (cwdi->cwdi_rdir != NULL)
@@ -1419,6 +1423,15 @@
                cwdi->cwdi_cdir = vp;
        }
        rw_exit(&cwdi->cwdi_lock);
+
+       /* Get a write lock on the process credential. */
+       proc_crmod_enter();
+
+       kauth_cred_clone(p->p_cred, ncred);
+       kauth_proc_chroot(ncred, p->p_cwdi);
+
+       /* Broadcast our credentials to the process and other LWPs. */
+       proc_crmod_leave(ncred, p->p_cred, true);
 }
 
 /*
diff -r 45a1006434cf -r befac6c91c7c sys/sys/kauth.h
--- a/sys/sys/kauth.h   Wed Jun 27 11:53:36 2012 +0000
+++ b/sys/sys/kauth.h   Wed Jun 27 12:28:28 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.69 2012/03/13 18:41:02 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.70 2012/06/27 12:28:28 cheusov Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>  
@@ -44,6 +44,7 @@
 struct proc;
 struct tty;
 struct vnode;
+struct cwdinfo;
 enum vtype;
 
 /* Types. */
@@ -331,7 +332,8 @@
        KAUTH_CRED_INIT=1,
        KAUTH_CRED_FORK,
        KAUTH_CRED_COPY,
-       KAUTH_CRED_FREE
+       KAUTH_CRED_FREE,
+       KAUTH_CRED_CHROOT
 };
 
 /*
@@ -487,4 +489,6 @@
 kauth_cred_t kauth_cred_get(void);
 
 void kauth_proc_fork(struct proc *, struct proc *);
+void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi);
+
 #endif /* !_SYS_KAUTH_H_ */