Move policies for KAUTH_PROCESS_{CANSEE,CORENAME,STOPFLAG,FORK} back to
the subsystem. Note: Consider killing the signal listener and sticking KAUTH_PROCESS_SIGNAL here as well.
This commit is contained in:
parent
e62043d705
commit
82ce55ed44
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: kern_proc.c,v 1.152 2009/05/23 18:28:06 ad Exp $ */
|
/* $NetBSD: kern_proc.c,v 1.153 2009/10/03 03:38:31 elad Exp $ */
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
|
* Copyright (c) 1999, 2006, 2007, 2008 The NetBSD Foundation, Inc.
|
||||||
|
@ -62,7 +62,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.152 2009/05/23 18:28:06 ad Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: kern_proc.c,v 1.153 2009/10/03 03:38:31 elad Exp $");
|
||||||
|
|
||||||
#include "opt_kstack.h"
|
#include "opt_kstack.h"
|
||||||
#include "opt_maxuprc.h"
|
#include "opt_maxuprc.h"
|
||||||
|
@ -235,6 +235,80 @@ static specificdata_domain_t proc_specificdata_domain;
|
||||||
|
|
||||||
static pool_cache_t proc_cache;
|
static pool_cache_t proc_cache;
|
||||||
|
|
||||||
|
static kauth_listener_t proc_listener;
|
||||||
|
|
||||||
|
static int
|
||||||
|
proc_listener_cb(kauth_cred_t cred, kauth_action_t action, void *cookie,
|
||||||
|
void *arg0, void *arg1, void *arg2, void *arg3)
|
||||||
|
{
|
||||||
|
struct proc *p;
|
||||||
|
int result;
|
||||||
|
|
||||||
|
result = KAUTH_RESULT_DEFER;
|
||||||
|
p = arg0;
|
||||||
|
|
||||||
|
switch (action) {
|
||||||
|
case KAUTH_PROCESS_CANSEE: {
|
||||||
|
enum kauth_process_req req;
|
||||||
|
|
||||||
|
req = (enum kauth_process_req)arg1;
|
||||||
|
|
||||||
|
switch (req) {
|
||||||
|
case KAUTH_REQ_PROCESS_CANSEE_ARGS:
|
||||||
|
case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
|
||||||
|
case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
|
||||||
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
|
case KAUTH_REQ_PROCESS_CANSEE_ENV:
|
||||||
|
if (kauth_cred_getuid(cred) !=
|
||||||
|
kauth_cred_getuid(p->p_cred) ||
|
||||||
|
kauth_cred_getuid(cred) !=
|
||||||
|
kauth_cred_getsvuid(p->p_cred))
|
||||||
|
break;
|
||||||
|
|
||||||
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
case KAUTH_PROCESS_FORK: {
|
||||||
|
int lnprocs = (int)(unsigned long)arg2;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Don't allow a nonprivileged user to use the last few
|
||||||
|
* processes. The variable lnprocs is the current number of
|
||||||
|
* processes, maxproc is the limit.
|
||||||
|
*/
|
||||||
|
if (__predict_false((lnprocs >= maxproc - 5)))
|
||||||
|
break;
|
||||||
|
|
||||||
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
case KAUTH_PROCESS_CORENAME:
|
||||||
|
case KAUTH_PROCESS_STOPFLAG:
|
||||||
|
if (proc_uidmatch(cred, p->p_cred) == 0)
|
||||||
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialize global process hashing structures.
|
* Initialize global process hashing structures.
|
||||||
*/
|
*/
|
||||||
|
@ -272,6 +346,9 @@ procinit(void)
|
||||||
|
|
||||||
proc_cache = pool_cache_init(sizeof(struct proc), 0, 0, 0,
|
proc_cache = pool_cache_init(sizeof(struct proc), 0, 0, 0,
|
||||||
"procpl", NULL, IPL_NONE, NULL, NULL, NULL);
|
"procpl", NULL, IPL_NONE, NULL, NULL, NULL);
|
||||||
|
|
||||||
|
proc_listener = kauth_listen_scope(KAUTH_SCOPE_PROCESS,
|
||||||
|
proc_listener_cb, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $NetBSD: secmodel_suser.c,v 1.24 2009/10/03 03:02:55 elad Exp $ */
|
/* $NetBSD: secmodel_suser.c,v 1.25 2009/10/03 03:38:31 elad Exp $ */
|
||||||
/*-
|
/*-
|
||||||
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
* Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
|
@ -38,7 +38,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.24 2009/10/03 03:02:55 elad Exp $");
|
__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.25 2009/10/03 03:38:31 elad Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
|
@ -496,6 +496,9 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
|
||||||
case KAUTH_PROCESS_SETID:
|
case KAUTH_PROCESS_SETID:
|
||||||
case KAUTH_PROCESS_KEVENT_FILTER:
|
case KAUTH_PROCESS_KEVENT_FILTER:
|
||||||
case KAUTH_PROCESS_NICE:
|
case KAUTH_PROCESS_NICE:
|
||||||
|
case KAUTH_PROCESS_FORK:
|
||||||
|
case KAUTH_PROCESS_CORENAME:
|
||||||
|
case KAUTH_PROCESS_STOPFLAG:
|
||||||
if (isroot)
|
if (isroot)
|
||||||
result = KAUTH_RESULT_ALLOW;
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
|
@ -510,20 +513,20 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
|
||||||
case KAUTH_REQ_PROCESS_CANSEE_ARGS:
|
case KAUTH_REQ_PROCESS_CANSEE_ARGS:
|
||||||
case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
|
case KAUTH_REQ_PROCESS_CANSEE_ENTRY:
|
||||||
case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
|
case KAUTH_REQ_PROCESS_CANSEE_OPENFILES:
|
||||||
if (!secmodel_suser_curtain)
|
if (isroot) {
|
||||||
result = KAUTH_RESULT_ALLOW;
|
|
||||||
else if (isroot || kauth_cred_uidmatch(cred, p->p_cred))
|
|
||||||
result = KAUTH_RESULT_ALLOW;
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (secmodel_suser_curtain) {
|
||||||
|
if (kauth_cred_uidmatch(cred, p->p_cred) != 0)
|
||||||
|
result = KAUTH_RESULT_DENY;
|
||||||
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case KAUTH_REQ_PROCESS_CANSEE_ENV:
|
case KAUTH_REQ_PROCESS_CANSEE_ENV:
|
||||||
if (!isroot &&
|
if (isroot)
|
||||||
(kauth_cred_getuid(cred) !=
|
|
||||||
kauth_cred_getuid(p->p_cred) ||
|
|
||||||
kauth_cred_getuid(cred) !=
|
|
||||||
kauth_cred_getsvuid(p->p_cred)))
|
|
||||||
break;
|
|
||||||
else
|
|
||||||
result = KAUTH_RESULT_ALLOW;
|
result = KAUTH_RESULT_ALLOW;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
@ -535,28 +538,6 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
case KAUTH_PROCESS_CORENAME:
|
|
||||||
if (isroot || proc_uidmatch(cred, p->p_cred) == 0)
|
|
||||||
result = KAUTH_RESULT_ALLOW;
|
|
||||||
|
|
||||||
break;
|
|
||||||
|
|
||||||
case KAUTH_PROCESS_FORK: {
|
|
||||||
int lnprocs = (int)(unsigned long)arg2;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Don't allow a nonprivileged user to use the last few
|
|
||||||
* processes. The variable lnprocs is the current number of
|
|
||||||
* processes, maxproc is the limit.
|
|
||||||
*/
|
|
||||||
if (__predict_false((lnprocs >= maxproc - 5) && !isroot))
|
|
||||||
break;
|
|
||||||
else
|
|
||||||
result = KAUTH_RESULT_ALLOW;
|
|
||||||
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case KAUTH_PROCESS_RLIMIT: {
|
case KAUTH_PROCESS_RLIMIT: {
|
||||||
enum kauth_process_req req;
|
enum kauth_process_req req;
|
||||||
|
|
||||||
|
@ -577,13 +558,6 @@ secmodel_suser_process_cb(kauth_cred_t cred, kauth_action_t action,
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
case KAUTH_PROCESS_STOPFLAG:
|
|
||||||
if (isroot || proc_uidmatch(cred, p->p_cred) == 0) {
|
|
||||||
result = KAUTH_RESULT_ALLOW;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue