[src/trunk]: src/sys Add new sysctl(3) entry: security.models.extensions.user...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys Add new sysctl(3) entry: security.models.extensions.user...
From: kamil <kamil%NetBSD.org@localhost>
Date: Mon, 23 Jul 2018 06:40:05 +0000

details:   https://anonhg.NetBSD.org/src/rev/22565fe6226b
branches:  trunk
changeset: 321876:22565fe6226b
user:      kamil <kamil%NetBSD.org@localhost>
date:      Sun Apr 08 14:46:32 2018 +0000

description:
Add new sysctl(3) entry: security.models.extensions.user_set_dbregs

Model this new sysctl(3) entry after "user_set_cpu_affinity" in the same
level of sysctl(3) switches.

Allow to read unconditionally Debug Registers (no change here). This is
convenient as even if a user of a debugger does not use hardware assisted
watchpoints/breakpoints, a debugger can still prompt these values to store
in an internal cache with context of registers. Reading them should have
no security concerns.

Add a paranoid MI switch that prohibits by default setting these registers
by a regular user (non-superuser). Make this switch disabled by default.
There are enough reserved bits out there to allow using them
unconditionally on hardened hosts.

Features shipped with Debug Registers are optional features in debuggers.
There is no reduction in elementary functionality.

Reviewed by <christos>

Sponsored by <The NetBSD Foundation>

diffstat:

 sys/kern/sys_ptrace_common.c                  |  15 ++++++++++++---
 sys/secmodel/extensions/secmodel_extensions.c |  23 +++++++++++++++++++++--
 2 files changed, 33 insertions(+), 5 deletions(-)

diffs (115 lines):

diff -r 9f7b5c5a8d06 -r 22565fe6226b sys/kern/sys_ptrace_common.c
--- a/sys/kern/sys_ptrace_common.c      Sun Apr 08 14:21:23 2018 +0000
+++ b/sys/kern/sys_ptrace_common.c      Sun Apr 08 14:46:32 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sys_ptrace_common.c,v 1.35 2018/03/05 11:24:34 kamil Exp $     */
+/*     $NetBSD: sys_ptrace_common.c,v 1.36 2018/04/08 14:46:32 kamil Exp $     */
 
 /*-
  * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@@ -118,7 +118,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sys_ptrace_common.c,v 1.35 2018/03/05 11:24:34 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sys_ptrace_common.c,v 1.36 2018/04/08 14:46:32 kamil Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ptrace.h"
@@ -218,6 +218,9 @@
 {
        struct proc *p;
        int result;
+#ifdef PT_SETDBREGS
+       extern int user_set_dbregs;
+#endif
 
        result = KAUTH_RESULT_DEFER;
        p = arg0;
@@ -231,6 +234,13 @@
                goto out;
 
        switch ((u_long)arg1) {
+#ifdef PT_SETDBREGS
+       case_PT_SETDBREGS
+               if (kauth_cred_getuid(cred) != 0 && user_set_dbregs == 0) {
+                       result = KAUTH_RESULT_DENY;
+                       break;
+               }
+#endif
        case PT_TRACE_ME:
        case PT_ATTACH:
        case PT_WRITE_I:
@@ -243,7 +253,6 @@
        case_PT_GETFPREGS
        case_PT_SETFPREGS
        case_PT_GETDBREGS
-       case_PT_SETDBREGS
        case PT_SET_EVENT_MASK:
        case PT_GET_EVENT_MASK:
        case PT_GET_PROCESS_STATE:
diff -r 9f7b5c5a8d06 -r 22565fe6226b sys/secmodel/extensions/secmodel_extensions.c
--- a/sys/secmodel/extensions/secmodel_extensions.c     Sun Apr 08 14:21:23 2018 +0000
+++ b/sys/secmodel/extensions/secmodel_extensions.c     Sun Apr 08 14:46:32 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $ */
+/* $NetBSD: secmodel_extensions.c,v 1.8 2018/04/08 14:46:32 kamil Exp $ */
 /*-
  * Copyright (c) 2011 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -27,7 +27,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.7 2015/12/12 14:57:52 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.8 2018/04/08 14:46:32 kamil Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -38,6 +38,7 @@
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
 #include <sys/proc.h>
+#include <sys/ptrace.h>
 #include <sys/module.h>
 
 #include <secmodel/secmodel.h>
@@ -49,6 +50,10 @@
 static int curtain;
 static int user_set_cpu_affinity;
 
+#ifdef PT_SETDBREGS
+int user_set_dbregs;
+#endif
+
 static kauth_listener_t l_system, l_process, l_network;
 
 static secmodel_t extensions_sm;
@@ -135,6 +140,17 @@
                       &user_set_cpu_affinity, 0,
                       CTL_CREATE, CTL_EOL);
 
+#ifdef PT_SETDBREGS
+       sysctl_createv(clog, 0, &rnode, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "user_set_dbregs",
+                      SYSCTL_DESCR("Whether unprivileged users may set "\
+                                   "CPU Debug Registers."),
+                      sysctl_extensions_user_handler, 0,
+                      &user_set_dbregs, 0,
+                      CTL_CREATE, CTL_EOL);
+#endif
+
        /* Compatibility: vfs.generic.usermount */
        sysctl_createv(clog, 0, NULL, NULL,
                       CTLFLAG_PERMANENT,
@@ -250,6 +266,9 @@
 
        curtain = 0;
        user_set_cpu_affinity = 0;
+#ifdef PT_SETDBREGS
+       user_set_dbregs = 0;
+#endif
 }
 
 static void

Prev by Date: [src/trunk]: src/external/gpl3/gcc/dist/gcc include nbsd_tm_file for ppc netb...
Next by Date: [src/trunk]: src/distrib/evbarm/instkernel/sshramdisk increase sshramdisk fro...
Previous by Thread: [src/trunk]: src/external/gpl3/gcc/dist/gcc include nbsd_tm_file for ppc netb...
Next by Thread: [src/trunk]: src/distrib/evbarm/instkernel/sshramdisk increase sshramdisk fro...
Indexes:

Home | Main Index | Thread Index | Old Index