Sat Oct 3 03:38:31 2009 UTC ()
Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem.

Note: Consider killing the signal listener and sticking
      KAUTH_PROCESS_SIGNAL here as well.


(elad)
diff -r1.152 -r1.153 src/sys/kern/kern_proc.c
diff -r1.24 -r1.25 src/sys/secmodel/suser/secmodel_suser.c
cvs diff -r1.152 -r1.153 src/sys/kern/kern_proc.c (expand / switch to unified diff)

--- src/sys/kern/kern_proc.c 2009/05/23 18:28:06 1.152
+++ src/sys/kern/kern_proc.c 2009/10/03 03:38:31 1.153
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: kern_proc.c,v 1.152 2009/05/23 18:28:06 ad Exp $ */ 1/* $NetBSD: kern_proc.c,v 1.153 2009/10/03 03:38:31 elad Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc. 4 * Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to The NetBSD Foundation 7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Jason R. Thorpe of the Numerical Aerospace Simulation Facility, 8 * by Jason R. Thorpe of the Numerical Aerospace Simulation Facility,
9 * NASA Ames Research Center, and by Andrew Doran. 9 * NASA Ames Research Center, and by Andrew Doran.
10 * 10 *
11 * Redistribution and use in source and binary forms, with or without 11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions 12 * modification, are permitted provided that the following conditions
13 * are met: 13 * are met:
14 * 1. Redistributions of source code must retain the above copyright 14 * 1. Redistributions of source code must retain the above copyright
@@ -52,27 +52,27 @@ @@ -52,27 +52,27 @@
52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 52 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 53 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 54 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 55 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 56 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 57 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 58 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
59 * SUCH DAMAGE. 59 * SUCH DAMAGE.
60 * 60 *
61 * @(#)kern_proc.c 8.7 (Berkeley) 2/14/95 61 * @(#)kern_proc.c 8.7 (Berkeley) 2/14/95
62 */ 62 */
63 63
64#include <sys/cdefs.h> 64#include <sys/cdefs.h>
65__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.152 2009/05/23 18:28:06 ad Exp $"); 65__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.153 2009/10/03 03:38:31 elad Exp $");
66 66
67#include "opt_kstack.h" 67#include "opt_kstack.h"
68#include "opt_maxuprc.h" 68#include "opt_maxuprc.h"
69 69
70#include <sys/param.h> 70#include <sys/param.h>
71#include <sys/systm.h> 71#include <sys/systm.h>
72#include <sys/kernel.h> 72#include <sys/kernel.h>
73#include <sys/proc.h> 73#include <sys/proc.h>
74#include <sys/resourcevar.h> 74#include <sys/resourcevar.h>
75#include <sys/buf.h> 75#include <sys/buf.h>
76#include <sys/acct.h> 76#include <sys/acct.h>
77#include <sys/wait.h> 77#include <sys/wait.h>
78#include <sys/file.h> 78#include <sys/file.h>
@@ -225,26 +225,100 @@ const struct proclist_desc proclists[] = @@ -225,26 +225,100 @@ const struct proclist_desc proclists[] =
225 { &allproc }, 225 { &allproc },
226 { &zombproc }, 226 { &zombproc },
227 { NULL }, 227 { NULL },
228}; 228};
229 229
230static struct pgrp * pg_remove(pid_t); 230static struct pgrp * pg_remove(pid_t);
231static void pg_delete(pid_t); 231static void pg_delete(pid_t);
232static void orphanpg(struct pgrp *); 232static void orphanpg(struct pgrp *);
233 233
234static specificdata_domain_t proc_specificdata_domain; 234static specificdata_domain_t proc_specificdata_domain;
235 235
236static pool_cache_t proc_cache; 236static pool_cache_t proc_cache;
237 237
 238static kauth_listener_t proc_listener;
 239
 240static int
 241proc_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
 242 void *arg0, void *arg1, void *arg2, void *arg3)
 243{
 244 struct proc *p;
 245 int result;
 246
 247 result = KAUTH_RESULT_DEFER;
 248 p = arg0;
 249
 250 switch (action) {
 251 case KAUTH_PROCESS_CANSEE: {
 252 enum kauth_process_req req;
 253
 254 req = (enum kauth_process_req)arg1;
 255
 256 switch (req) {
 257 case KAUTH_REQ_PROCESS_CANSEE_ARGS:
 258 case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
 259 case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
 260 result = KAUTH_RESULT_ALLOW;
 261
 262 break;
 263
 264 case KAUTH_REQ_PROCESS_CANSEE_ENV:
 265 if (kauth_cred_getuid(cred) !=
 266 kauth_cred_getuid(p->p_cred) ||
 267 kauth_cred_getuid(cred) !=
 268 kauth_cred_getsvuid(p->p_cred))
 269 break;
 270
 271 result = KAUTH_RESULT_ALLOW;
 272
 273 break;
 274
 275 default:
 276 break;
 277 }
 278
 279 break;
 280 }
 281
 282 case KAUTH_PROCESS_FORK: {
 283 int lnprocs = (int)(unsigned long)arg2;
 284
 285 /*
 286 * Don't allow a nonprivileged user to use the last few
 287 * processes. The variable lnprocs is the current number of
 288 * processes, maxproc is the limit.
 289 */
 290 if (__predict_false((lnprocs >= maxproc - 5)))
 291 break;
 292
 293 result = KAUTH_RESULT_ALLOW;
 294
 295 break;
 296 }
 297
 298 case KAUTH_PROCESS_CORENAME:
 299 case KAUTH_PROCESS_STOPFLAG:
 300 if (proc_uidmatch(cred, p->p_cred) == 0)
 301 result = KAUTH_RESULT_ALLOW;
 302
 303 break;
 304
 305 default:
 306 break;
 307 }
 308
 309 return result;
 310}
 311
238/* 312/*
239 * Initialize global process hashing structures. 313 * Initialize global process hashing structures.
240 */ 314 */
241void 315void
242procinit(void) 316procinit(void)
243{ 317{
244 const struct proclist_desc *pd; 318 const struct proclist_desc *pd;
245 u_int i; 319 u_int i;
246#define LINK_EMPTY ((PID_MAX + INITIAL_PID_TABLE_SIZE) & ~(INITIAL_PID_TABLE_SIZE - 1)) 320#define LINK_EMPTY ((PID_MAX + INITIAL_PID_TABLE_SIZE) & ~(INITIAL_PID_TABLE_SIZE - 1))
247 321
248 for (pd = proclists; pd->pd_list != NULL; pd++) 322 for (pd = proclists; pd->pd_list != NULL; pd++)
249 LIST_INIT(pd->pd_list); 323 LIST_INIT(pd->pd_list);
250 324
@@ -262,26 +336,29 @@ procinit(void) @@ -262,26 +336,29 @@ procinit(void)
262 next_free_pt = 1; 336 next_free_pt = 1;
263 /* Need to fix last entry. */ 337 /* Need to fix last entry. */
264 last_free_pt = pid_tbl_mask; 338 last_free_pt = pid_tbl_mask;
265 pid_table[last_free_pt].pt_proc = P_FREE(LINK_EMPTY); 339 pid_table[last_free_pt].pt_proc = P_FREE(LINK_EMPTY);
266 /* point at which we grow table - to avoid reusing pids too often */ 340 /* point at which we grow table - to avoid reusing pids too often */
267 pid_alloc_lim = pid_tbl_mask - 1; 341 pid_alloc_lim = pid_tbl_mask - 1;
268#undef LINK_EMPTY 342#undef LINK_EMPTY
269 343
270 proc_specificdata_domain = specificdata_domain_create(); 344 proc_specificdata_domain = specificdata_domain_create();
271 KASSERT(proc_specificdata_domain != NULL); 345 KASSERT(proc_specificdata_domain != NULL);
272 346
273 proc_cache = pool_cache_init(sizeof(struct proc), 0, 0, 0, 347 proc_cache = pool_cache_init(sizeof(struct proc), 0, 0, 0,
274 "procpl", NULL, IPL_NONE, NULL, NULL, NULL); 348 "procpl", NULL, IPL_NONE, NULL, NULL, NULL);
 349
 350 proc_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
 351 proc_listener_cb, NULL);
275} 352}
276 353
277/* 354/*
278 * Initialize process 0. 355 * Initialize process 0.
279 */ 356 */
280void 357void
281proc0_init(void) 358proc0_init(void)
282{ 359{
283 struct proc *p; 360 struct proc *p;
284 struct pgrp *pg; 361 struct pgrp *pg;
285 struct session *sess; 362 struct session *sess;
286 struct lwp *l; 363 struct lwp *l;
287 rlim_t lim; 364 rlim_t lim;
cvs diff -r1.24 -r1.25 src/sys/secmodel/suser/secmodel_suser.c (expand / switch to unified diff)

--- src/sys/secmodel/suser/secmodel_suser.c 2009/10/03 03:02:55 1.24
+++ src/sys/secmodel/suser/secmodel_suser.c 2009/10/03 03:38:31 1.25
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: secmodel_suser.c,v 1.24 2009/10/03 03:02:55 elad Exp $ */ 1/* $NetBSD: secmodel_suser.c,v 1.25 2009/10/03 03:38:31 elad Exp $ */
2/*- 2/*-
3 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org> 3 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
4 * All rights reserved. 4 * All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
8 * are met: 8 * are met:
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright 11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the 12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution. 13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products 14 * 3. The name of the author may not be used to endorse or promote products
@@ -28,27 +28,27 @@ @@ -28,27 +28,27 @@
28 28
29/* 29/*
30 * This file contains kauth(9) listeners needed to implement the traditional 30 * This file contains kauth(9) listeners needed to implement the traditional
31 * NetBSD superuser access restrictions. 31 * NetBSD superuser access restrictions.
32 * 32 *
33 * There are two main resources a request can be issued to: user-owned and 33 * There are two main resources a request can be issued to: user-owned and
34 * system owned. For the first, traditional Unix access checks are done, as 34 * system owned. For the first, traditional Unix access checks are done, as
35 * well as superuser checks. If needed, the request context is examined before 35 * well as superuser checks. If needed, the request context is examined before
36 * a decision is made. For the latter, usually only superuser checks are done 36 * a decision is made. For the latter, usually only superuser checks are done
37 * as normal users are not allowed to access system resources. 37 * as normal users are not allowed to access system resources.
38 */ 38 */
39 39
40#include <sys/cdefs.h> 40#include <sys/cdefs.h>
41__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.24 2009/10/03 03:02:55 elad Exp $"); 41__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.25 2009/10/03 03:38:31 elad Exp $");
42 42
43#include <sys/types.h> 43#include <sys/types.h>
44#include <sys/param.h> 44#include <sys/param.h>
45#include <sys/kauth.h> 45#include <sys/kauth.h>
46 46
47#include <sys/mutex.h> 47#include <sys/mutex.h>
48#include <sys/mount.h> 48#include <sys/mount.h>
49#include <sys/socketvar.h> 49#include <sys/socketvar.h>
50#include <sys/sysctl.h> 50#include <sys/sysctl.h>
51#include <sys/vnode.h> 51#include <sys/vnode.h>
52#include <sys/proc.h> 52#include <sys/proc.h>
53#include <sys/uidinfo.h> 53#include <sys/uidinfo.h>
54#include <sys/module.h> 54#include <sys/module.h>
@@ -486,114 +486,88 @@ secmodel_suser_process_cb(kauth_cred_t c @@ -486,114 +486,88 @@ secmodel_suser_process_cb(kauth_cred_t c
486 p = arg0; 486 p = arg0;
487 487
488 switch (action) { 488 switch (action) {
489 case KAUTH_PROCESS_SIGNAL: 489 case KAUTH_PROCESS_SIGNAL:
490 case KAUTH_PROCESS_KTRACE: 490 case KAUTH_PROCESS_KTRACE:
491 case KAUTH_PROCESS_PROCFS: 491 case KAUTH_PROCESS_PROCFS:
492 case KAUTH_PROCESS_PTRACE: 492 case KAUTH_PROCESS_PTRACE:
493 case KAUTH_PROCESS_SCHEDULER_GETPARAM: 493 case KAUTH_PROCESS_SCHEDULER_GETPARAM:
494 case KAUTH_PROCESS_SCHEDULER_SETPARAM: 494 case KAUTH_PROCESS_SCHEDULER_SETPARAM:
495 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY: 495 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
496 case KAUTH_PROCESS_SETID: 496 case KAUTH_PROCESS_SETID:
497 case KAUTH_PROCESS_KEVENT_FILTER: 497 case KAUTH_PROCESS_KEVENT_FILTER:
498 case KAUTH_PROCESS_NICE: 498 case KAUTH_PROCESS_NICE:
 499 case KAUTH_PROCESS_FORK:
 500 case KAUTH_PROCESS_CORENAME:
 501 case KAUTH_PROCESS_STOPFLAG:
499 if (isroot) 502 if (isroot)
500 result = KAUTH_RESULT_ALLOW; 503 result = KAUTH_RESULT_ALLOW;
501 504
502 break; 505 break;
503 506
504 case KAUTH_PROCESS_CANSEE: { 507 case KAUTH_PROCESS_CANSEE: {
505 unsigned long req; 508 unsigned long req;
506 509
507 req = (unsigned long)arg1; 510 req = (unsigned long)arg1;
508 511
509 switch (req) { 512 switch (req) {
510 case KAUTH_REQ_PROCESS_CANSEE_ARGS: 513 case KAUTH_REQ_PROCESS_CANSEE_ARGS:
511 case KAUTH_REQ_PROCESS_CANSEE_ENTRY: 514 case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
512 case KAUTH_REQ_PROCESS_CANSEE_OPENFILES: 515 case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
513 if (!secmodel_suser_curtain) 516 if (isroot) {
514 result = KAUTH_RESULT_ALLOW; 
515 else if (isroot || kauth_cred_uidmatch(cred, p->p_cred)) 
516 result = KAUTH_RESULT_ALLOW; 517 result = KAUTH_RESULT_ALLOW;
 518 break;
 519 }
 520
 521 if (secmodel_suser_curtain) {
 522 if (kauth_cred_uidmatch(cred, p->p_cred) != 0)
 523 result = KAUTH_RESULT_DENY;
 524 }
 525
517 break; 526 break;
518 527
519 case KAUTH_REQ_PROCESS_CANSEE_ENV: 528 case KAUTH_REQ_PROCESS_CANSEE_ENV:
520 if (!isroot && 529 if (isroot)
521 (kauth_cred_getuid(cred) != 
522 kauth_cred_getuid(p->p_cred) || 
523 kauth_cred_getuid(cred) != 
524 kauth_cred_getsvuid(p->p_cred))) 
525 break; 
526 else 
527 result = KAUTH_RESULT_ALLOW; 530 result = KAUTH_RESULT_ALLOW;
528 531
529 break; 532 break;
530 533
531 default: 534 default:
532 break; 535 break;
533 } 536 }
534 537
535 break; 538 break;
536 } 539 }
537 540
538 case KAUTH_PROCESS_CORENAME: 
539 if (isroot || proc_uidmatch(cred, p->p_cred) == 0) 
540 result = KAUTH_RESULT_ALLOW; 
541 
542 break; 
543 
544 case KAUTH_PROCESS_FORK: { 
545 int lnprocs = (int)(unsigned long)arg2; 
546 
547 /* 
548 * Don't allow a nonprivileged user to use the last few 
549 * processes. The variable lnprocs is the current number of 
550 * processes, maxproc is the limit. 
551 */ 
552 if (__predict_false((lnprocs >= maxproc - 5) && !isroot)) 
553 break; 
554 else 
555 result = KAUTH_RESULT_ALLOW; 
556 
557 break; 
558 } 
559 
560 case KAUTH_PROCESS_RLIMIT: { 541 case KAUTH_PROCESS_RLIMIT: {
561 enum kauth_process_req req; 542 enum kauth_process_req req;
562 543
563 req = (enum kauth_process_req)(unsigned long)arg1; 544 req = (enum kauth_process_req)(unsigned long)arg1;
564 545
565 switch (req) { 546 switch (req) {
566 case KAUTH_REQ_PROCESS_RLIMIT_SET: 547 case KAUTH_REQ_PROCESS_RLIMIT_SET:
567 case KAUTH_REQ_PROCESS_RLIMIT_GET: 548 case KAUTH_REQ_PROCESS_RLIMIT_GET:
568 if (isroot) 549 if (isroot)
569 result = KAUTH_RESULT_ALLOW; 550 result = KAUTH_RESULT_ALLOW;
570 551
571 break; 552 break;
572 553
573 default: 554 default:
574 break; 555 break;
575 } 556 }
576 557
577 break; 558 break;
578 } 559 }
579 560
580 case KAUTH_PROCESS_STOPFLAG: 
581 if (isroot || proc_uidmatch(cred, p->p_cred) == 0) { 
582 result = KAUTH_RESULT_ALLOW; 
583 break; 
584 } 
585 break; 
586 
587 default: 561 default:
588 break; 562 break;
589 } 563 }
590 564
591 return (result); 565 return (result);
592} 566}
593 567
594/* 568/*
595 * kauth(9) listener 569 * kauth(9) listener
596 * 570 *
597 * Security model: Traditional NetBSD 571 * Security model: Traditional NetBSD
598 * Scope: Network 572 * Scope: Network
599 * Responsibility: Superuser access 573 * Responsibility: Superuser access