[src/trunk]: src/sys Move ktrace's subsystem security policy to the subsystem...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys Move ktrace's subsystem security policy to the subsystem...
From: elad <elad%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 17:58:32 +0000

details:   https://anonhg.NetBSD.org/src/rev/99333523fccc
branches:  trunk
changeset: 747822:99333523fccc
user:      elad <elad%NetBSD.org@localhost>
date:      Fri Oct 02 21:47:35 2009 +0000

description:
Move ktrace's subsystem security policy to the subsystem itself, and keep
just the suser-related logic in the suser secmodel.

diffstat:

 sys/kern/kern_ktrace.c              |  42 +++++++++++++++++++++++++++++++++++-
 sys/secmodel/suser/secmodel_suser.c |  30 +++----------------------
 2 files changed, 44 insertions(+), 28 deletions(-)

diffs (131 lines):

diff -r bfba10a7f9d4 -r 99333523fccc sys/kern/kern_ktrace.c
--- a/sys/kern/kern_ktrace.c    Fri Oct 02 21:44:02 2009 +0000
+++ b/sys/kern/kern_ktrace.c    Fri Oct 02 21:47:35 2009 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_ktrace.c,v 1.149 2009/08/05 19:53:42 dsl Exp $    */
+/*     $NetBSD: kern_ktrace.c,v 1.150 2009/10/02 21:47:35 elad Exp $   */
 
 /*-
  * Copyright (c) 2006, 2007, 2008 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.149 2009/08/05 19:53:42 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_ktrace.c,v 1.150 2009/10/02 21:47:35 elad Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -179,6 +179,8 @@
 static TAILQ_HEAD(, ktr_desc) ktdq = TAILQ_HEAD_INITIALIZER(ktdq);
 static pool_cache_t kte_cache;
 
+static kauth_listener_t ktrace_listener;
+
 static void
 ktd_wakeup(struct ktr_desc *ktd)
 {
@@ -237,6 +239,39 @@
        l->l_pflag &= ~LP_KTRACTIVE;
 }
 
+static int
+ktrace_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
+    void *arg0, void *arg1, void *arg2, void *arg3)
+{
+       struct proc *p;
+       int result;
+       enum kauth_process_req req;
+
+       result = KAUTH_RESULT_DEFER;
+       p = arg0;
+
+       if (action != KAUTH_PROCESS_KTRACE)
+               return result;
+
+       req = (enum kauth_process_req)(unsigned long)arg1;
+
+       /* Privileged; secmodel should handle these. */
+       if (req == KAUTH_REQ_PROCESS_KTRACE_PERSISTENT)
+               return result;
+
+       if ((p->p_traceflag & KTRFAC_PERSISTENT) ||
+           (p->p_flag & PK_SUGID))
+               return result;
+
+       if (kauth_cred_geteuid(cred) == kauth_cred_getuid(p->p_cred) &&
+           kauth_cred_getuid(cred) == kauth_cred_getsvuid(p->p_cred) &&
+           kauth_cred_getgid(cred) == kauth_cred_getgid(p->p_cred) &&
+           kauth_cred_getgid(cred) == kauth_cred_getsvgid(p->p_cred))
+               result = KAUTH_RESULT_ALLOW;
+
+       return result;
+}
+
 /*
  * Initialise the ktrace system.
  */
@@ -247,6 +282,9 @@
        mutex_init(&ktrace_lock, MUTEX_DEFAULT, IPL_NONE);
        kte_cache = pool_cache_init(sizeof(struct ktrace_entry), 0, 0, 0,
            "ktrace", &pool_allocator_nointr, IPL_NONE, NULL, NULL, NULL);
+
+       ktrace_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
+           ktrace_listener_cb, NULL); 
 }
 
 /*
diff -r bfba10a7f9d4 -r 99333523fccc sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c       Fri Oct 02 21:44:02 2009 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c       Fri Oct 02 21:47:35 2009 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.1 2009/10/02 18:50:13 elad Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.1 2009/10/02 18:50:13 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.2 2009/10/02 21:47:35 elad Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -624,33 +624,11 @@
                break;
                }
 
-       case KAUTH_PROCESS_KTRACE: {
-               enum kauth_process_req req;
-
-               req = (enum kauth_process_req)(unsigned long)arg1;
-
-               if (isroot) {
+       case KAUTH_PROCESS_KTRACE:
+               if (isroot)
                        result = KAUTH_RESULT_ALLOW;
-                       break;
-               } else if (req == KAUTH_REQ_PROCESS_KTRACE_PERSISTENT) {
-                       break;
-               }
-
-               if ((p->p_traceflag & KTRFAC_PERSISTENT) ||
-                   (p->p_flag & PK_SUGID)) {
-                       break;
-               }
-
-               if (kauth_cred_geteuid(cred) == kauth_cred_getuid(p->p_cred) &&
-                   kauth_cred_getuid(cred) == kauth_cred_getsvuid(p->p_cred) &&
-                   kauth_cred_getgid(cred) == kauth_cred_getgid(p->p_cred) &&
-                   kauth_cred_getgid(cred) == kauth_cred_getsvgid(p->p_cred)) {
-                       result = KAUTH_RESULT_ALLOW;
-                       break;
-               }
 
                break;
-               }
 
        case KAUTH_PROCESS_PROCFS: {
                enum kauth_process_req req = (enum kauth_process_req)arg2;

Prev by Date: [src/trunk]: src/external/bsd/dhcpcd/dist Add back dhcpcd.conf
Next by Date: [src/trunk]: src/doc Import dhcpcd-5.1.1
Previous by Thread: [src/trunk]: src/external/bsd/dhcpcd/dist Add back dhcpcd.conf
Next by Thread: [src/trunk]: src/doc Import dhcpcd-5.1.1
Indexes:

Home | Main Index | Thread Index | Old Index