Re: pthread_setaffinity_np() permissions

To: Sad Clouds <cryintothebluesky%googlemail.com@localhost>
Subject: Re: pthread_setaffinity_np() permissions
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Thu, 03 Nov 2011 00:20:18 +0100

On 02.11.2011 17:03, Sad Clouds wrote:

Hi, is there some setting that would allow pthread_setaffinity_np() to
succeed for non-root users, i.e. some form of RBAC?

Not that I know of. There was a discussion to introduce a sysctl(7), butnever got implemented actually (here's a quick patch).


sysctl -w security.models.suser.usersetaffinity=1

I would not call kauth(9) RBAC though, it's more ACLs.

--
Jean-Yves Migeon
jeanyves.migeon%free.fr@localhost

Index: sys/secmodel/suser/secmodel_suser.c
===================================================================
RCS file: /cvsroot/src/sys/secmodel/suser/secmodel_suser.c,v
retrieving revision 1.34
diff -u -p -r1.34 secmodel_suser.c
--- sys/secmodel/suser/secmodel_suser.c 29 Dec 2009 04:25:30 -0000      1.34
+++ sys/secmodel/suser/secmodel_suser.c 2 Nov 2011 22:54:08 -0000
@@ -58,6 +58,7 @@ MODULE(MODULE_CLASS_SECMODEL, suser, NUL
 
 static int secmodel_suser_curtain;
 /* static */ int dovfsusermount;
+/* static */ int dousersetaffinity;
 
 static kauth_listener_t l_generic, l_system, l_process, l_network, l_machdep,
     l_device, l_vnode;
@@ -109,6 +110,14 @@ sysctl_security_suser_setup(struct sysct
                       NULL, 0, &dovfsusermount, 0,
                       CTL_CREATE, CTL_EOL);
 
+       sysctl_createv(clog, 0, &rnode, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "usersetaffinity",
+                      SYSCTL_DESCR("Whether unprivileged users may control "
+                                   "CPU affinity"),
+                      NULL, 0, &dousersetaffinity, 0,
+                      CTL_CREATE, CTL_EOL);
+
        /* Compatibility: security.curtain */
        sysctl_createv(clog, 0, NULL, &rnode,
                       CTLFLAG_PERMANENT,
@@ -494,6 +503,13 @@ secmodel_suser_process_cb(kauth_cred_t c
        p = arg0;
 
        switch (action) {
+       case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
+               if (dousersetaffinity == 1) {
+                       if (kauth_cred_uidmatch(cred, p->p_cred))
+                               result = KAUTH_RESULT_ALLOW;
+               }
+               break;
+
        case KAUTH_PROCESS_SIGNAL:
        case KAUTH_PROCESS_KTRACE:
        case KAUTH_PROCESS_PROCFS:
@@ -501,7 +517,6 @@ secmodel_suser_process_cb(kauth_cred_t c
        case KAUTH_PROCESS_SCHEDULER_GETPARAM:
        case KAUTH_PROCESS_SCHEDULER_SETPARAM:
        case KAUTH_PROCESS_SCHEDULER_GETAFFINITY:
-       case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
        case KAUTH_PROCESS_SETID:
        case KAUTH_PROCESS_KEVENT_FILTER:
        case KAUTH_PROCESS_NICE:

Follow-Ups:
- Re: pthread_setaffinity_np() permissions
  - From: Sad Clouds
- Re: pthread_setaffinity_np() permissions
  - From: Thor Lancelot Simon

References:
- pthread_setaffinity_np() permissions
  - From: Sad Clouds

Prev by Date: pthread_setaffinity_np() permissions
Next by Date: Re: pthread_setaffinity_np() permissions
Previous by Thread: pthread_setaffinity_np() permissions
Next by Thread: Re: pthread_setaffinity_np() permissions
Indexes:

Home | Main Index | Thread Index | Old Index