Sun Dec 4 21:04:51 2011 UTC ()
When user_set_cpu_affinity is non-zero, only allow users to modify
the CPU affinity of the LWPs they own.


(jym)
diff -r1.1 -r1.2 src/sys/secmodel/extensions/secmodel_extensions.c
cvs diff -r1.1 -r1.2 src/sys/secmodel/extensions/secmodel_extensions.c (expand / switch to unified diff)

--- src/sys/secmodel/extensions/secmodel_extensions.c 2011/12/04 19:25:00 1.1
+++ src/sys/secmodel/extensions/secmodel_extensions.c 2011/12/04 21:04:51 1.2
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: secmodel_extensions.c,v 1.1 2011/12/04 19:25:00 jym Exp $ */ 1/* $NetBSD: secmodel_extensions.c,v 1.2 2011/12/04 21:04:51 jym Exp $ */
2/*- 2/*-
3 * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org> 3 * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org>
4 * All rights reserved. 4 * All rights reserved.
5 * 5 *
6 * Redistribution and use in source and binary forms, with or without 6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions 7 * modification, are permitted provided that the following conditions
8 * are met: 8 * are met:
9 * 1. Redistributions of source code must retain the above copyright 9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer. 10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright 11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the 12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution. 13 * documentation and/or other materials provided with the distribution.
14 * 3. The name of the author may not be used to endorse or promote products 14 * 3. The name of the author may not be used to endorse or promote products
@@ -17,27 +17,27 @@ @@ -17,27 +17,27 @@
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */ 27 */
28 28
29#include <sys/cdefs.h> 29#include <sys/cdefs.h>
30__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.1 2011/12/04 19:25:00 jym Exp $"); 30__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.2 2011/12/04 21:04:51 jym Exp $");
31 31
32#include <sys/types.h> 32#include <sys/types.h>
33#include <sys/param.h> 33#include <sys/param.h>
34#include <sys/kauth.h> 34#include <sys/kauth.h>
35 35
36#include <sys/mount.h> 36#include <sys/mount.h>
37#include <sys/vnode.h> 37#include <sys/vnode.h>
38#include <sys/socketvar.h> 38#include <sys/socketvar.h>
39#include <sys/sysctl.h> 39#include <sys/sysctl.h>
40#include <sys/proc.h> 40#include <sys/proc.h>
41#include <sys/module.h> 41#include <sys/module.h>
42 42
43#include <secmodel/secmodel.h> 43#include <secmodel/secmodel.h>
@@ -403,27 +403,30 @@ secmodel_extensions_process_cb(kauth_cre @@ -403,27 +403,30 @@ secmodel_extensions_process_cb(kauth_cre
403 } 403 }
404 } 404 }
405 405
406 break; 406 break;
407 407
408 default: 408 default:
409 break; 409 break;
410 } 410 }
411 411
412 break; 412 break;
413 413
414 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY: 414 case KAUTH_PROCESS_SCHEDULER_SETAFFINITY:
415 if (user_set_cpu_affinity != 0) { 415 if (user_set_cpu_affinity != 0) {
416 result = KAUTH_RESULT_ALLOW; 416 struct proc *p = arg0;
 417
 418 if (kauth_cred_uidmatch(cred, p->p_cred))
 419 result = KAUTH_RESULT_ALLOW;
417 } 420 }
418 break; 421 break;
419 422
420 default: 423 default:
421 break; 424 break;
422 } 425 }
423 426
424 return (result); 427 return (result);
425} 428}
426 429
427static int 430static int
428secmodel_extensions_network_cb(kauth_cred_t cred, kauth_action_t action, 431secmodel_extensions_network_cb(kauth_cred_t cred, kauth_action_t action,
429 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3) 432 void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)