Add new action KAUTH_CRED_CHROOT for kauth(9)'s credential scope.

Reviewed and approved by elad@.
2012-06-27 12:28:28 +00:00 · 2012-06-27 12:28:28 +00:00 · b6b59f4935
parent c915e1430c
commit b6b59f4935
4 changed files with 39 additions and 7 deletions
--- a/share/man/man9/kauth.9
+++ b/share/man/man9/kauth.9
@ -1,4 +1,4 @@
-.\" $NetBSD: kauth.9,v 1.100 2012/03/17 14:42:13 njoly Exp $
+.\" $NetBSD: kauth.9,v 1.101 2012/06/27 12:28:28 cheusov Exp $
 .\"
 .\" Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
 .\" All rights reserved.
@ -1534,6 +1534,15 @@ and
 are both
 .Ft struct proc *
 of the parent and child processes, respectively.
+.It Dv KAUTH_CRED_CHROOT
+The credentials in cred belong to a process whose root directory is
+changed through
+.Xr change_root 9
+.Pp
+.Ar Arg0
+is the new
+.Ft struct cwdinfo *
+of the process.
 .It Dv KAUTH_CRED_FREE
 The credentials in
 .Ar cred
--- a/sys/kern/kern_auth.c
+++ b/sys/kern/kern_auth.c
@ -1,4 +1,4 @@
-/* $NetBSD: kern_auth.c,v 1.70 2012/06/27 10:06:55 cheusov Exp $ */
+/* $NetBSD: kern_auth.c,v 1.71 2012/06/27 12:28:28 cheusov Exp $ */

 /*-
 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
@ -28,7 +28,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.70 2012/06/27 10:06:55 cheusov Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_auth.c,v 1.71 2012/06/27 12:28:28 cheusov Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -260,6 +260,12 @@ kauth_proc_fork(struct proc *parent, struct proc *child)
 	    child);
 }

+void
+kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi)
+{
+	kauth_cred_hook(cred, KAUTH_CRED_CHROOT, cwdi, NULL);
+}
+
 uid_t
 kauth_cred_getuid(kauth_cred_t cred)
 {
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vfs_syscalls.c,v 1.456 2012/05/08 08:44:49 gson Exp $	*/
+/*	$NetBSD: vfs_syscalls.c,v 1.457 2012/06/27 12:28:28 cheusov Exp $	*/

 /*-
 * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
@ -70,7 +70,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.456 2012/05/08 08:44:49 gson Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vfs_syscalls.c,v 1.457 2012/06/27 12:28:28 cheusov Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_fileassoc.h"
@ -1398,6 +1398,10 @@ sys_chroot(struct lwp *l, const struct sys_chroot_args *uap, register_t *retval)
 void
 change_root(struct cwdinfo *cwdi, struct vnode *vp, struct lwp *l)
 {
+	struct proc *p = l->l_proc;
+	kauth_cred_t ncred;
+
+	ncred = kauth_cred_alloc();

 	rw_enter(&cwdi->cwdi_lock, RW_WRITER);
 	if (cwdi->cwdi_rdir != NULL)
@ -1419,6 +1423,15 @@ change_root(struct cwdinfo *cwdi, struct vnode *vp, struct lwp *l)
 		cwdi->cwdi_cdir = vp;
 	}
 	rw_exit(&cwdi->cwdi_lock);
+
+	/* Get a write lock on the process credential. */
+	proc_crmod_enter();
+
+	kauth_cred_clone(p->p_cred, ncred);
+	kauth_proc_chroot(ncred, p->p_cwdi);
+
+	/* Broadcast our credentials to the process and other LWPs. */
+ 	proc_crmod_leave(ncred, p->p_cred, true);
 }

 /*
--- a/sys/sys/kauth.h
+++ b/sys/sys/kauth.h
@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.69 2012/03/13 18:41:02 elad Exp $ */
+/* $NetBSD: kauth.h,v 1.70 2012/06/27 12:28:28 cheusov Exp $ */

 /*-
 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
@ -44,6 +44,7 @@ struct ki_pcred;
 struct proc;
 struct tty;
 struct vnode;
+struct cwdinfo;
 enum vtype;

 /* Types. */
@ -331,7 +332,8 @@ enum {
 	KAUTH_CRED_INIT=1,
 	KAUTH_CRED_FORK,
 	KAUTH_CRED_COPY,
-	KAUTH_CRED_FREE
+	KAUTH_CRED_FREE,
+	KAUTH_CRED_CHROOT
 };

 /*
@ -487,4 +489,6 @@ kauth_action_t kauth_extattr_action(mode_t);
 kauth_cred_t kauth_cred_get(void);

 void kauth_proc_fork(struct proc *, struct proc *);
+void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi);
+
 #endif	/* !_SYS_KAUTH_H_ */