Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move ptrace's security policy back to the subsystem itself. 

Add a ptrace_init() so we have a place to register the listener; called
next to ktrinit().
This commit is contained in:
elad 2009-10-02 22:18:56 +00:00
parent 9a472060de
commit 2ae3a70827
4 changed files with 95 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/kern/init_main.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $ */
/* $NetBSD: init_main.c,v 1.404 2009/10/02 22:18:57 elad Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@ -97,7 +97,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.404 2009/10/02 22:18:57 elad Exp $");
#include "opt_ddb.h"
#include "opt_ipsec.h"
@ -112,6 +112,7 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $")
#include "opt_pax.h"
#include "opt_compat_netbsd.h"
#include "opt_wapbl.h"
#include "opt_ptrace.h"
#include "drvctl.h"
#include "ksyms.h"
@ -201,6 +202,9 @@ __KERNEL_RCSID(0, "$NetBSD: init_main.c,v 1.403 2009/10/02 18:50:14 elad Exp $")
#include <sys/savar.h>
#endif
#include <net80211/ieee80211_netbsd.h>
#ifdef PTRACE
#include <sys/ptrace.h>
#endif /* PTRACE */
#include <sys/syscall.h>
#include <sys/syscallargs.h>
@ -550,6 +554,11 @@ main(void)
ktrinit();
#endif
#ifdef PTRACE
/* Initialize ptrace. */
ptrace_init();
#endif /* PTRACE */
/* Initialize the UUID system calls. */
uuid_init();

79
sys/kern/sys_process.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $ */
/* $NetBSD: sys_process.c,v 1.148 2009/10/02 22:18:57 elad Exp $ */
/*-
* Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@ -118,7 +118,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $");
__KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.148 2009/10/02 22:18:57 elad Exp $");
#include "opt_ptrace.h"
#include "opt_ktrace.h"
@ -141,6 +141,80 @@ __KERNEL_RCSID(0, "$NetBSD: sys_process.c,v 1.147 2009/06/28 11:42:07 yamt Exp $
#include <machine/reg.h>
#ifdef PTRACE
static kauth_listener_t ptrace_listener;
static int
ptrace_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
void *arg0, void *arg1, void *arg2, void *arg3)
{
struct proc *p;
int result;
result = KAUTH_RESULT_DEFER;
p = arg0;
if (action != KAUTH_PROCESS_PTRACE)
return result;
switch ((u_long)arg1) {
case PT_TRACE_ME:
case PT_ATTACH:
case PT_WRITE_I:
case PT_WRITE_D:
case PT_READ_I:
case PT_READ_D:
case PT_IO:
#ifdef PT_GETREGS
case PT_GETREGS:
#endif
#ifdef PT_SETREGS
case PT_SETREGS:
#endif
#ifdef PT_GETFPREGS
case PT_GETFPREGS:
#endif
#ifdef PT_SETFPREGS
case PT_SETFPREGS:
#endif
#ifdef __HAVE_PTRACE_MACHDEP
PTRACE_MACHDEP_REQUEST_CASES
#endif
if (kauth_cred_getuid(cred) != kauth_cred_getuid(p->p_cred) ||
ISSET(p->p_flag, PK_SUGID)) {
break;
}
result = KAUTH_RESULT_ALLOW;
break;
#ifdef PT_STEP
case PT_STEP:
#endif
case PT_CONTINUE:
case PT_KILL:
case PT_DETACH:
case PT_LWPINFO:
case PT_SYSCALL:
case PT_DUMPCORE:
result = KAUTH_RESULT_ALLOW;
break;
default:
break;
}
return result;
}
void
ptrace_init(void)
{
ptrace_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
ptrace_listener_cb, NULL);
}
/*
* Process debugging system call.
*/
@ -958,3 +1032,4 @@ process_stoptrace(void)
KERNEL_LOCK(l->l_biglocks, l);
}
#endif /* KTRACE || PTRACE */

60
sys/secmodel/suser/secmodel_suser.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $ */
/* $NetBSD: secmodel_suser.c,v 1.5 2009/10/02 22:18:57 elad Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
* All rights reserved.
@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.4 2009/10/02 22:05:52 elad Exp $");
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.5 2009/10/02 22:18:57 elad Exp $");
#include <sys/types.h>
#include <sys/param.h>
@ -640,63 +640,11 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
break;
}
case KAUTH_PROCESS_PTRACE: {
switch ((u_long)arg1) {
case PT_TRACE_ME:
case PT_ATTACH:
case PT_WRITE_I:
case PT_WRITE_D:
case PT_READ_I:
case PT_READ_D:
case PT_IO:
#ifdef PT_GETREGS
case PT_GETREGS:
#endif
#ifdef PT_SETREGS
case PT_SETREGS:
#endif
#ifdef PT_GETFPREGS
case PT_GETFPREGS:
#endif
#ifdef PT_SETFPREGS
case PT_SETFPREGS:
#endif
#ifdef __HAVE_PTRACE_MACHDEP
PTRACE_MACHDEP_REQUEST_CASES
#endif
if (isroot) {
result = KAUTH_RESULT_ALLOW;
break;
}
if (kauth_cred_getuid(cred) !=
kauth_cred_getuid(p->p_cred) ||
ISSET(p->p_flag, PK_SUGID)) {
break;
}
case KAUTH_PROCESS_PTRACE:
if (isroot)
result = KAUTH_RESULT_ALLOW;
break;
#ifdef PT_STEP
case PT_STEP:
#endif
case PT_CONTINUE:
case PT_KILL:
case PT_DETACH:
case PT_LWPINFO:
case PT_SYSCALL:
case PT_DUMPCORE:
result = KAUTH_RESULT_ALLOW;
break;
default:
result = KAUTH_RESULT_DEFER;
break;
}
break;
}
case KAUTH_PROCESS_CORENAME:
if (isroot || proc_uidmatch(cred, p->p_cred) == 0)

4
sys/sys/ptrace.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ptrace.h,v 1.40 2008/01/05 12:41:43 dsl Exp $ */
/* $NetBSD: ptrace.h,v 1.41 2009/10/02 22:18:56 elad Exp $ */
/*-
* Copyright (c) 1984, 1993
@ -99,6 +99,8 @@ struct fpreg;
#endif
#endif
void ptrace_init(void);
int process_doregs(struct lwp *, struct lwp *, struct uio *);
int process_validregs(struct lwp *);