Module Name: src
Committed By: elad
Date: Fri Oct 2 23:00:02 UTC 2009
Modified Files:
src/sys/miscfs/procfs: procfs_vfsops.c
src/sys/secmodel/suser: secmodel_suser.c
Log Message:
Put procfs policy back in the subsystem.
To generate a diff of this commit:
cvs rdiff -u -r1.83 -r1.84 src/sys/miscfs/procfs/procfs_vfsops.c
cvs rdiff -u -r1.7 -r1.8 src/sys/secmodel/suser/secmodel_suser.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/miscfs/procfs/procfs_vfsops.c
diff -u src/sys/miscfs/procfs/procfs_vfsops.c:1.83 src/sys/miscfs/procfs/procfs_vfsops.c:1.84
--- src/sys/miscfs/procfs/procfs_vfsops.c:1.83 Sun Mar 15 17:22:38 2009
+++ src/sys/miscfs/procfs/procfs_vfsops.c Fri Oct 2 23:00:02 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: procfs_vfsops.c,v 1.83 2009/03/15 17:22:38 cegger Exp $ */
+/* $NetBSD: procfs_vfsops.c,v 1.84 2009/10/02 23:00:02 elad Exp $ */
/*
* Copyright (c) 1993
@@ -76,7 +76,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: procfs_vfsops.c,v 1.83 2009/03/15 17:22:38 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: procfs_vfsops.c,v 1.84 2009/10/02 23:00:02 elad Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -110,6 +110,8 @@
static struct sysctllog *procfs_sysctl_log;
+static kauth_listener_t procfs_listener;
+
/*
* VFS Operations.
*
@@ -305,6 +307,45 @@
};
static int
+procfs_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+ void *arg0, void *arg1, void *arg2, void *arg3)
+{
+ struct proc *p;
+ struct pfsnode *pfs;
+ enum kauth_process_req req;
+ int result;
+
+ result = KAUTH_RESULT_DEFER;
+ p = arg0;
+ pfs = arg1;
+ req = (enum kauth_process_req)(unsigned long)arg2;
+
+ if (action != KAUTH_PROCESS_PROCFS)
+ return result;
+
+ /* Privileged; let secmodel handle that. */
+ if (req == KAUTH_REQ_PROCESS_PROCFS_CTL)
+ return result;
+
+ switch (pfs->pfs_type) {
+ case PFSregs:
+ case PFSfpregs:
+ case PFSmem:
+ if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
+ ISSET(p->p_flag, PK_SUGID))
+ break;
+
+ /*FALLTHROUGH*/
+ default:
+ result = KAUTH_RESULT_ALLOW;
+ break;
+ }
+
+ return result;
+}
+
+
+static int
procfs_modcmd(modcmd_t cmd, void *arg)
{
int error;
@@ -330,12 +371,17 @@
* one more instance of the "number to vfs" mapping problem,
* but "12" is the order as taken from sys/mount.h
*/
+
+ procfs_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
+ procfs_listener_cb, NULL);
+
break;
case MODULE_CMD_FINI:
error = vfs_detach(&procfs_vfsops);
if (error != 0)
break;
sysctl_teardown(&procfs_sysctl_log);
+ kauth_unlisten_scope(procfs_listener);
break;
default:
error = ENOTTY;
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.7 src/sys/secmodel/suser/secmodel_suser.c:1.8
--- src/sys/secmodel/suser/secmodel_suser.c:1.7 Fri Oct 2 22:46:18 2009
+++ src/sys/secmodel/suser/secmodel_suser.c Fri Oct 2 23:00:02 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.8 2009/10/02 23:00:02 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <[email protected]>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.7 2009/10/02 22:46:18 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.8 2009/10/02 23:00:02 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -574,36 +574,11 @@
break;
- case KAUTH_PROCESS_PROCFS: {
- enum kauth_process_req req = (enum kauth_process_req)arg2;
- struct pfsnode *pfs = arg1;
-
- if (isroot) {
- result = KAUTH_RESULT_ALLOW;
- break;
- }
-
- if (req == KAUTH_REQ_PROCESS_PROCFS_CTL) {
- break;
- }
-
- switch (pfs->pfs_type) {
- case PFSregs:
- case PFSfpregs:
- case PFSmem:
- if (kauth_cred_getuid(cred) !=
- kauth_cred_getuid(p->p_cred) ||
- ISSET(p->p_flag, PK_SUGID)) {
- break;
- }
- /*FALLTHROUGH*/
- default:
+ case KAUTH_PROCESS_PROCFS:
+ if (isroot)
result = KAUTH_RESULT_ALLOW;
- break;
- }
break;
- }
case KAUTH_PROCESS_PTRACE:
if (isroot)
