Make the PMC syscalls privileged.

2017-06-14 17:48:40 +00:00 · 2017-06-14 17:48:40 +00:00 · 9d643d5f09
commit 9d643d5f09
parent 8a4a6a0611
3 changed files with 33 additions and 14 deletions
--- a/sys/arch/x86/x86/pmc.c
+++ b/sys/arch/x86/x86/pmc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: pmc.c,v 1.7 2017/05/23 08:54:39 nonaka Exp $	*/
+/*	$NetBSD: pmc.c,v 1.8 2017/06/14 17:48:40 maxv Exp $	*/

 /*
 * Copyright (c) 2017 The NetBSD Foundation, Inc.
@ -67,13 +67,14 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pmc.c,v 1.7 2017/05/23 08:54:39 nonaka Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmc.c,v 1.8 2017/06/14 17:48:40 maxv Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/cpu.h>
 #include <sys/xcall.h>
+#include <sys/kauth.h>

 #include <machine/cpufunc.h>
 #include <machine/cpuvar.h>
@ -325,6 +326,12 @@ int
 sys_pmc_info(struct lwp *l, struct x86_pmc_info_args *uargs, register_t *retval)
 {
 	struct x86_pmc_info_args rv;
+	int error;
+
+	error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86PMC,
+	    NULL, NULL, NULL, NULL);
+	if (error)
+		return error;

 	memset(&rv, 0, sizeof(rv));

@ -344,6 +351,11 @@ sys_pmc_startstop(struct lwp *l, struct x86_pmc_startstop_args *uargs,
 	bool start;
 	int error;

+	error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86PMC,
+	    NULL, NULL, NULL, NULL);
+	if (error)
+		return error;
+
 	if (pmc_type == PMC_TYPE_NONE)
 		return ENODEV;

@ -386,6 +398,11 @@ sys_pmc_read(struct lwp *l, struct x86_pmc_read_args *uargs, register_t *retval)
 	size_t nval;
 	int error;

+	error = kauth_authorize_machdep(l->l_cred, KAUTH_MACHDEP_X86PMC,
+	    NULL, NULL, NULL, NULL);
+	if (error)
+		return error;
+
 	if (pmc_type == PMC_TYPE_NONE)
 		return ENODEV;

--- a/sys/secmodel/suser/secmodel_suser.c
+++ b/sys/secmodel/suser/secmodel_suser.c
@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.42 2015/08/17 06:16:03 knakahara Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.43 2017/06/14 17:48:41 maxv Exp $ */
 /*-
 * Copyright (c) 2006 Elad Efrat <elad@NetBSD.org>
 * All rights reserved.
@ -38,7 +38,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.42 2015/08/17 06:16:03 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.43 2017/06/14 17:48:41 maxv Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -834,13 +834,13 @@ int
 secmodel_suser_machdep_cb(kauth_cred_t cred, kauth_action_t action,
    void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
 {
-        bool isroot;
-        int result;
+	bool isroot;
+	int result;

-        isroot = suser_isroot(cred);
-        result = KAUTH_RESULT_DEFER;
+	isroot = suser_isroot(cred);
+	result = KAUTH_RESULT_DEFER;

-        switch (action) {
+	switch (action) {
 	case KAUTH_MACHDEP_CPU_UCODE_APPLY:
 	case KAUTH_MACHDEP_IOPERM_GET:
 	case KAUTH_MACHDEP_LDT_GET:
@ -853,6 +853,7 @@ secmodel_suser_machdep_cb(kauth_cred_t cred, kauth_action_t action,
 	case KAUTH_MACHDEP_NVRAM:
 	case KAUTH_MACHDEP_UNMANAGEDMEM:
 	case KAUTH_MACHDEP_PXG:
+	case KAUTH_MACHDEP_X86PMC:
 		if (isroot)
 			result = KAUTH_RESULT_ALLOW;
 		break;
@ -875,11 +876,11 @@ int
 secmodel_suser_device_cb(kauth_cred_t cred, kauth_action_t action,
    void *cookie, void *arg0, void *arg1, void *arg2, void *arg3)
 {
-        bool isroot;
-        int result;
+	bool isroot;
+	int result;

-        isroot = suser_isroot(cred);
-        result = KAUTH_RESULT_DEFER;
+	isroot = suser_isroot(cred);
+	result = KAUTH_RESULT_DEFER;

 	switch (action) {
 	case KAUTH_DEVICE_BLUETOOTH_SETPRIV:
--- a/sys/sys/kauth.h
+++ b/sys/sys/kauth.h
@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.73 2015/10/06 22:13:39 christos Exp $ */
+/* $NetBSD: kauth.h,v 1.74 2017/06/14 17:48:41 maxv Exp $ */

 /*-
 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@ -321,6 +321,7 @@ enum {
 	KAUTH_MACHDEP_NVRAM,
 	KAUTH_MACHDEP_UNMANAGEDMEM,
 	KAUTH_MACHDEP_PXG,
+	KAUTH_MACHDEP_X86PMC
 };

 /*