Module Name: src Committed By: elad Date: Fri Oct 2 21:47:35 UTC 2009
Modified Files: src/sys/kern: kern_ktrace.c src/sys/secmodel/suser: secmodel_suser.c Log Message: Move ktrace's subsystem security policy to the subsystem itself, and keep just the suser-related logic in the suser secmodel. To generate a diff of this commit: cvs rdiff -u -r1.149 -r1.150 src/sys/kern/kern_ktrace.c cvs rdiff -u -r1.1 -r1.2 src/sys/secmodel/suser/secmodel_suser.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/kern/kern_ktrace.c diff -u src/sys/kern/kern_ktrace.c:1.149 src/sys/kern/kern_ktrace.c:1.150 --- src/sys/kern/kern_ktrace.c:1.149 Wed Aug 5 19:53:42 2009 +++ src/sys/kern/kern_ktrace.c Fri Oct 2 21:47:35 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: kern_ktrace.c,v 1.149 2009/08/05 19:53:42 dsl Exp $ */ +/* $NetBSD: kern_ktrace.c,v 1.150 2009/10/02 21:47:35 elad Exp $ */ /*- * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.149 2009/08/05 19:53:42 dsl Exp $"); +__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.150 2009/10/02 21:47:35 elad Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -179,6 +179,8 @@ static TAILQ_HEAD(, ktr_desc) ktdq = TAILQ_HEAD_INITIALIZER(ktdq); static pool_cache_t kte_cache; +static kauth_listener_t ktrace_listener; + static void ktd_wakeup(struct ktr_desc *ktd) { @@ -237,6 +239,39 @@ l->l_pflag &= ~LP_KTRACTIVE; } +static int +ktrace_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie, + void *arg0, void *arg1, void *arg2, void *arg3) +{ + struct proc *p; + int result; + enum kauth_process_req req; + + result = KAUTH_RESULT_DEFER; + p = arg0; + + if (action != KAUTH_PROCESS_KTRACE) + return result; + + req = (enum kauth_process_req)(unsigned long)arg1; + + /* Privileged; secmodel should handle these. */ + if (req == KAUTH_REQ_PROCESS_KTRACE_PERSISTENT) + return result; + + if ((p->p_traceflag & KTRFAC_PERSISTENT) || + (p->p_flag & PK_SUGID)) + return result; + + if (kauth_cred_geteuid(cred) == kauth_cred_getuid(p->p_cred) && + kauth_cred_getuid(cred) == kauth_cred_getsvuid(p->p_cred) && + kauth_cred_getgid(cred) == kauth_cred_getgid(p->p_cred) && + kauth_cred_getgid(cred) == kauth_cred_getsvgid(p->p_cred)) + result = KAUTH_RESULT_ALLOW; + + return result; +} + /* * Initialise the ktrace system. */ @@ -247,6 +282,9 @@ mutex_init(&ktrace_lock, MUTEX_DEFAULT, IPL_NONE); kte_cache = pool_cache_init(sizeof(struct ktrace_entry), 0, 0, 0, "ktrace", &pool_allocator_nointr, IPL_NONE, NULL, NULL, NULL); + + ktrace_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS, + ktrace_listener_cb, NULL); } /* Index: src/sys/secmodel/suser/secmodel_suser.c diff -u src/sys/secmodel/suser/secmodel_suser.c:1.1 src/sys/secmodel/suser/secmodel_suser.c:1.2 --- src/sys/secmodel/suser/secmodel_suser.c:1.1 Fri Oct 2 18:50:13 2009 +++ src/sys/secmodel/suser/secmodel_suser.c Fri Oct 2 21:47:35 2009 @@ -1,4 +1,4 @@ -/* $NetBSD: secmodel_suser.c,v 1.1 2009/10/02 18:50:13 elad Exp $ */ +/* $NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $ */ /*- * Copyright (c) 2006 Elad Efrat <e...@netbsd.org> * All rights reserved. @@ -38,7 +38,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.1 2009/10/02 18:50:13 elad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $"); #include <sys/types.h> #include <sys/param.h> @@ -624,33 +624,11 @@ break; } - case KAUTH_PROCESS_KTRACE: { - enum kauth_process_req req; - - req = (enum kauth_process_req)(unsigned long)arg1; - - if (isroot) { - result = KAUTH_RESULT_ALLOW; - break; - } else if (req == KAUTH_REQ_PROCESS_KTRACE_PERSISTENT) { - break; - } - - if ((p->p_traceflag & KTRFAC_PERSISTENT) || - (p->p_flag & PK_SUGID)) { - break; - } - - if (kauth_cred_geteuid(cred) == kauth_cred_getuid(p->p_cred) && - kauth_cred_getuid(cred) == kauth_cred_getsvuid(p->p_cred) && - kauth_cred_getgid(cred) == kauth_cred_getgid(p->p_cred) && - kauth_cred_getgid(cred) == kauth_cred_getsvgid(p->p_cred)) { + case KAUTH_PROCESS_KTRACE: + if (isroot) result = KAUTH_RESULT_ALLOW; - break; - } break; - } case KAUTH_PROCESS_PROCFS: { enum kauth_process_req req = (enum kauth_process_req)arg2;