Add KAUTH_REQ_PROCESS_CANSEE_EPROC, and use it for the kern.proc node.

Same permission as before, so no functional change.
2018-08-25 09:54:37 +00:00 · 2018-08-25 09:54:37 +00:00 · 2ce97679ef
parent 7c68bf2efd
commit 2ce97679ef
5 changed files with 15 additions and 11 deletions
--- a/share/examples/secmodel/secmodel_example.c
+++ b/share/examples/secmodel/secmodel_example.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_example.c,v 1.27 2018/07/15 05:16:40 maxv Exp $ */
+/* $NetBSD: secmodel_example.c,v 1.28 2018/08/25 09:54:37 maxv Exp $ */

 /*
 * This file is placed in the public domain.
@ -13,7 +13,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.27 2018/07/15 05:16:40 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_example.c,v 1.28 2018/08/25 09:54:37 maxv Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -370,6 +370,7 @@ secmodel_example_process_cb(kauth_cred_t cred, kauth_action_t action,
 		case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
 		case KAUTH_REQ_PROCESS_CANSEE_ENV:
 		case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
+		case KAUTH_REQ_PROCESS_CANSEE_EPROC:
 		default:
 			result = KAUTH_RESULT_DEFER;
 			break;
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: kern_proc.c,v 1.212 2018/04/14 14:26:20 kamil Exp $	*/
+/*	$NetBSD: kern_proc.c,v 1.213 2018/08/25 09:54:37 maxv Exp $	*/

 /*-
 * Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
@ -62,7 +62,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.212 2018/04/14 14:26:20 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.213 2018/08/25 09:54:37 maxv Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_kstack.h"
@ -263,8 +263,8 @@ proc_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
 		case KAUTH_REQ_PROCESS_CANSEE_ARGS:
 		case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
 		case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
+		case KAUTH_REQ_PROCESS_CANSEE_EPROC:
 			result = KAUTH_RESULT_ALLOW;
-
 			break;

 		case KAUTH_REQ_PROCESS_CANSEE_ENV:
@ -1701,7 +1701,7 @@ sysctl_doeproc(SYSCTLFN_ARGS)
 		mutex_enter(p->p_lock);
 		error = kauth_authorize_process(l->l_cred,
 		    KAUTH_PROCESS_CANSEE, p,
-		    KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_ENTRY), NULL, NULL);
+		    KAUTH_ARG(KAUTH_REQ_PROCESS_CANSEE_EPROC), NULL, NULL);
 		if (error != 0) {
 			mutex_exit(p->p_lock);
 			continue;
--- a/sys/secmodel/extensions/secmodel_extensions.c
+++ b/sys/secmodel/extensions/secmodel_extensions.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_extensions.c,v 1.8 2018/04/08 14:46:32 kamil Exp $ */
+/* $NetBSD: secmodel_extensions.c,v 1.9 2018/08/25 09:54:37 maxv Exp $ */
 /*-
 * Copyright (c) 2011 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -27,7 +27,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.8 2018/04/08 14:46:32 kamil Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_extensions.c,v 1.9 2018/08/25 09:54:37 maxv Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -428,6 +428,7 @@ secmodel_extensions_process_cb(kauth_cred_t cred, kauth_action_t action,
 		case KAUTH_REQ_PROCESS_CANSEE_ARGS:
 		case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
 		case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
+		case KAUTH_REQ_PROCESS_CANSEE_EPROC:
 			if (curtain != 0) {
 				struct proc *p = arg0;

--- a/sys/secmodel/suser/secmodel_suser.c
+++ b/sys/secmodel/suser/secmodel_suser.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.46 2018/07/15 05:16:45 maxv Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.47 2018/08/25 09:54:37 maxv Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -38,7 +38,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.46 2018/07/15 05:16:45 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.47 2018/08/25 09:54:37 maxv Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -499,6 +499,7 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
 		case KAUTH_REQ_PROCESS_CANSEE_ARGS:
 		case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
 		case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
+		case KAUTH_REQ_PROCESS_CANSEE_EPROC:
 			if (isroot) {
 				result = KAUTH_RESULT_ALLOW;
 				break;
--- a/sys/sys/kauth.h
+++ b/sys/sys/kauth.h
@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.78 2018/07/15 05:16:45 maxv Exp $ */
+/* $NetBSD: kauth.h,v 1.79 2018/08/25 09:54:37 maxv Exp $ */

 /*-
 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@ -230,6 +230,7 @@ enum kauth_process_req {
 	KAUTH_REQ_PROCESS_RLIMIT_GET,
 	KAUTH_REQ_PROCESS_RLIMIT_SET,
 	KAUTH_REQ_PROCESS_RLIMIT_BYPASS,
+	KAUTH_REQ_PROCESS_CANSEE_EPROC,
 };

 /*