move security.setid_core.* to kern.coredump.setid.*, as requested by yamt@.

2006-07-14 21:55:19 +00:00 · 2006-07-14 21:55:19 +00:00 · 1c8d298b89
parent 669a86ac31
commit 1c8d298b89
4 changed files with 88 additions and 80 deletions
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.3,v 1.171 2006/07/14 18:41:40 elad Exp $
+.\"	$NetBSD: sysctl.3,v 1.172 2006/07/14 21:55:19 elad Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -999,6 +999,29 @@ Each element of the array contains the kernel address of a vnode
 .Va struct vnode *
 followed by the vnode itself
 .Va struct vnode .
+.It Li kern.coredump.setid
+Settings related to set-id processes coredumps.
+By default, set-id processes do not dump core in situations where
+other processes would.
+The settings in this node allows an administrator to change this
+behavior.
+.Pp
+.Bl -tag -width "123456"
+.It Li kern.coredump.setid.dump
+If non-zero, set-id processes will dump core.
+.It Li kern.coredump.setid.group
+The group-id for the set-id processes' coredump.
+.It Li kern.coredump.setid.mode
+The mode for the set-id processes' coredump.
+See
+.Xr chmod 1 .
+.It Li kern.coredump.setid.owner
+The user-id that will be used as the owner of the set-id processes'
+coredump.
+.It Li kern.coredump.setid.path
+The path to which set-id processes' coredumps will be saved to.
+Same syntax as kern.defcorename.
+.El
 .El
 .Sh CTL_MACHDEP
 The set of variables defined is architecture dependent.
@ -2013,29 +2036,6 @@ Otherwise, all programs will not get the PaX MPROTECT restrictions,
 except those specifically marked as such with
 .Xr paxctl 1.
 .El
-.It Li security.setid_core
-Settings related to set-id processes coredumps.
-By default, set-id processes do not dump core in situations where
-other processes would.
-The settings in this node allows an administrator to change this
-behavior.
-.Pp
-.Bl -tag -width "123456"
-.It Li security.setid_core.dump
-If non-zero, set-id processes will dump core.
-.It Li security.setid_core.group
-The group-id for the set-id processes' coredump.
-.It Li security.setid_core.mode
-The mode for the set-id processes' coredump.
-See
-.Xr chmod 1 .
-.It Li security.setid_core.owner
-The user-id that will be used as the owner of the set-id processes'
-coredump.
-.It Li security.setid_core.path
-The path to which set-id processes' coredumps will be saved to.
-Same syntax as kern.defcorename.
-.El
 .El
 .Sh CTL_VENDOR
 The "vendor" toplevel name is reserved to be used by vendors who wish to
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.8,v 1.148 2006/07/14 18:41:40 elad Exp $
+.\"	$NetBSD: sysctl.8,v 1.149 2006/07/14 21:55:19 elad Exp $
 .\"
 .\" Copyright (c) 2004 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -287,6 +287,13 @@ privilege can change the value.
 .It kern.ccpu	integer	no
 .It kern.clockrate	struct	no
 .It kern.consdev	integer	no
+.It kern.coredump	node	not applicable
+.It kern.coredump.setid	node	not applicable
+.It kern.coredump.setid.dump	integer	yes
+.It kern.coredump.setid.group	integer	yes
+.It kern.coredump.setid.mode	integer	yes
+.It kern.coredump.setid.owner	integer	yes
+.It kern.coredump.setid.path	string	yes
 .It kern.cp_id	struct	no
 .It kern.cp_time	struct	no
 .It kern.cryptodevallowsoft	int	yes
@ -542,12 +549,6 @@ privilege can change the value.
 .It security.curtain	integer	yes
 .It security.pax.mprotect.enabled	integer	yes
 .It security.pax.mprotect.global_protection	integer	yes
-.It security.setid_core	node	not applicable
-.It security.setid_core.dump	integer	yes
-.It security.setid_core.group	integer	yes
-.It security.setid_core.mode	integer	yes
-.It security.setid_core.owner	integer	yes
-.It security.setid_core.path	string	yes
 .It user.bc_base_max	integer	no
 .It user.bc_dim_max	integer	no
 .It user.bc_scale_max	integer	no
--- a/sbin/sysctl/sysctl.c
+++ b/sbin/sysctl/sysctl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: sysctl.c,v 1.115 2006/03/30 08:02:40 jnemeth Exp $ */
+/*	$NetBSD: sysctl.c,v 1.116 2006/07/14 21:55:19 elad Exp $ */

 /*-
 * Copyright (c) 2003 The NetBSD Foundation, Inc.
@ -72,7 +72,7 @@ __COPYRIGHT(
 #if 0
 static char sccsid[] = "@(#)sysctl.c	8.1 (Berkeley) 6/6/93";
 #else
-__RCSID("$NetBSD: sysctl.c,v 1.115 2006/03/30 08:02:40 jnemeth Exp $");
+__RCSID("$NetBSD: sysctl.c,v 1.116 2006/07/14 21:55:19 elad Exp $");
 #endif
 #endif /* not lint */

@ -192,6 +192,8 @@ static const struct handlespec {
 	{ "/kern/sysvipc_info",			printother, NULL, "ipcs" },
 	{ "/kern/cp_id(/[0-9]+)?",		kern_cp_id },

+	{ "/kern/coredump/setid/mode",		mode_bits, mode_bits },
+
 	{ "/vm/vmmeter",			printother, NULL,
 						"vmstat' or 'systat" },
 	{ "/vm/loadavg",			vm_loadavg },
@ -223,8 +225,6 @@ static const struct handlespec {

 	{ "/proc/[^/]+/rlimit/[^/]+/[^/]+",	proc_limit, proc_limit },

-	{ "/security/setid_core/mode",		mode_bits, mode_bits },
-
 	/*
 	 * these will only be called when the given node has no children
 	 */
--- a/sys/kern/init_sysctl.c
+++ b/sys/kern/init_sysctl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: init_sysctl.c,v 1.74 2006/06/21 13:46:17 christos Exp $ */
+/*	$NetBSD: init_sysctl.c,v 1.75 2006/07/14 21:55:19 elad Exp $ */

 /*-
 * Copyright (c) 2003 The NetBSD Foundation, Inc.
@ -37,7 +37,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.74 2006/06/21 13:46:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: init_sysctl.c,v 1.75 2006/07/14 21:55:19 elad Exp $");

 #include "opt_sysv.h"
 #include "opt_multiprocessor.h"
@ -277,6 +277,7 @@ SYSCTL_SETUP(sysctl_kern_setup, "sysctl kern subtree setup")
 	extern int kern_logsigexit;	/* defined in kern/kern_sig.c */
 	extern fixpt_t ccpu;		/* defined in kern/kern_synch.c */
 	extern int dumponpanic;		/* defined in kern/subr_prf.c */
+	const struct sysctlnode *rnode;

 	sysctl_createv(clog, 0, NULL, NULL,
 		       CTLFLAG_PERMANENT,
@ -804,6 +805,55 @@ SYSCTL_SETUP(sysctl_kern_setup, "sysctl kern subtree setup")
 		       SYSCTL_DESCR("Mapping of CPU number to CPU id"),
 		       sysctl_kern_cpid, 0, NULL, 0,
 		       CTL_KERN, KERN_CP_ID, CTL_EOL);
+
+	sysctl_createv(clog, 0, NULL, &rnode,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "coredump",
+		       SYSCTL_DESCR("Coredump settings."),
+		       NULL, 0, NULL, 0,
+		       CTL_KERN, CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, &rnode,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "setid",
+		       SYSCTL_DESCR("Set-id processes' coredump settings."),
+		       NULL, 0, NULL, 0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "dump",
+		       SYSCTL_DESCR("Allow set-id processes to dump core."),
+		       sysctl_security_setidcore, 0, &security_setidcore_dump,
+		       sizeof(security_setidcore_dump),
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_STRING, "path",
+		       SYSCTL_DESCR("Path pattern for set-id coredumps."),
+		       sysctl_security_setidcorename, 0,
+		       &security_setidcore_path,
+		       sizeof(security_setidcore_path),
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "owner",
+		       SYSCTL_DESCR("Owner id for set-id processes' cores."),
+		       sysctl_security_setidcore, 0, &security_setidcore_owner,
+		       0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "group",
+		       SYSCTL_DESCR("Group id for set-id processes' cores."),
+		       sysctl_security_setidcore, 0, &security_setidcore_group,
+		       0,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &rnode, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_INT, "mode",
+		       SYSCTL_DESCR("Mode for set-id processes' cores."),
+		       sysctl_security_setidcore, 0, &security_setidcore_mode,
+		       0,
+		       CTL_CREATE, CTL_EOL);
 }

 SYSCTL_SETUP(sysctl_kern_proc_setup,
@ -1037,49 +1087,6 @@ SYSCTL_SETUP(sysctl_security_setup, "sysctl security subtree setup")
 				    " to users not owning them."),
 		       NULL, 0, &security_curtain, 0,
 		       CTL_CREATE, CTL_EOL);
-
-	sysctl_createv(clog, 0, &rnode, &rnode,
-		       CTLFLAG_PERMANENT,
-		       CTLTYPE_NODE, "setid_core",
-		       SYSCTL_DESCR("Set-id processes' coredump settings."),
-		       NULL, 0, NULL, 0,
-		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, &rnode, NULL,
-		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		       CTLTYPE_INT, "dump",
-		       SYSCTL_DESCR("Allow set-id processes to dump core."),
-		       sysctl_security_setidcore, 0, &security_setidcore_dump,
-		       sizeof(security_setidcore_dump),
-		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, &rnode, NULL,
-		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		       CTLTYPE_STRING, "path",
-		       SYSCTL_DESCR("Path pattern for set-id coredumps."),
-		       sysctl_security_setidcorename, 0,
-		       &security_setidcore_path,
-		       sizeof(security_setidcore_path),
-		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, &rnode, NULL,
-		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		       CTLTYPE_INT, "owner",
-		       SYSCTL_DESCR("Owner id for set-id processes' cores."),
-		       sysctl_security_setidcore, 0, &security_setidcore_owner,
-		       0,
-		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, &rnode, NULL,
-		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		       CTLTYPE_INT, "group",
-		       SYSCTL_DESCR("Group id for set-id processes' cores."),
-		       sysctl_security_setidcore, 0, &security_setidcore_group,
-		       0,
-		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, &rnode, NULL,
-		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-		       CTLTYPE_INT, "mode",
-		       SYSCTL_DESCR("Mode for set-id processes' cores."),
-		       sysctl_security_setidcore, 0, &security_setidcore_mode,
-		       0,
-		       CTL_CREATE, CTL_EOL);
 }

 /*