mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-03 09:00:21 +00:00
Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:
setuid() mac_check_proc_setuid()
seteuid() mac_check_proc_seteuid()
setgid() mac_check_proc_setgid()
setegid() mac_check_proc_setegid()
setgroups() mac_check_proc_setgroups()
setreuid() mac_check_proc_setreuid()
setregid() mac_check_proc_setregid()
setresuid() mac_check_proc_setresuid()
setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org>
Obtained from: TrustedBSD Project
This commit is contained in:
Robert Watson
parent
a431f9bb61
commit
030a28b3b5
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=145147
@ -500,6 +500,12 @@ setuid(struct thread *td, struct setuid_args *uap)
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setuid(p, oldcred, uid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* See if we have "permission" by POSIX 1003.1 rules.
|
||||
*
|
||||
@ -524,12 +530,8 @@ setuid(struct thread *td, struct setuid_args *uap)
|
||||
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
|
||||
uid != oldcred->cr_uid && /* allow setuid(geteuid()) */
|
||||
#endif
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
uifree(uip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Copy credentials so other references do not see our changes.
|
||||
@ -579,6 +581,12 @@ setuid(struct thread *td, struct setuid_args *uap)
|
||||
uifree(uip);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
uifree(uip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -604,14 +612,18 @@ seteuid(struct thread *td, struct seteuid_args *uap)
|
||||
euip = uifind(euid);
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_seteuid(p, oldcred, euid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */
|
||||
euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* Everything's okay, do it. Copy credentials so other references do
|
||||
* not see our changes.
|
||||
@ -626,6 +638,12 @@ seteuid(struct thread *td, struct seteuid_args *uap)
|
||||
uifree(euip);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -650,6 +668,12 @@ setgid(struct thread *td, struct setgid_args *uap)
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setgid(p, oldcred, gid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* See if we have "permission" by POSIX 1003.1 rules.
|
||||
*
|
||||
@ -668,11 +692,8 @@ setgid(struct thread *td, struct setgid_args *uap)
|
||||
#ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */
|
||||
gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */
|
||||
#endif
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
#ifdef _POSIX_SAVED_IDS
|
||||
@ -718,6 +739,11 @@ setgid(struct thread *td, struct setgid_args *uap)
|
||||
PROC_UNLOCK(p);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -741,13 +767,18 @@ setegid(struct thread *td, struct setegid_args *uap)
|
||||
newcred = crget();
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setegid(p, oldcred, egid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */
|
||||
egid != oldcred->cr_svgid && /* allow setegid(saved gid) */
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
if (oldcred->cr_groups[0] != egid) {
|
||||
change_egid(newcred, egid);
|
||||
@ -757,6 +788,11 @@ setegid(struct thread *td, struct setegid_args *uap)
|
||||
PROC_UNLOCK(p);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -789,14 +825,18 @@ setgroups(struct thread *td, struct setgroups_args *uap)
|
||||
newcred = crget();
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setgroups(p, oldcred, ngrp,
|
||||
tempcred->cr_groups);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
error = suser_cred(oldcred, SUSER_ALLOWJAIL);
|
||||
if (error) {
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
crfree(tempcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
if (error)
|
||||
goto fail;
|
||||
|
||||
/*
|
||||
* XXX A little bit lazy here. We could test if anything has
|
||||
* changed before crcopy() and setting P_SUGID.
|
||||
@ -821,6 +861,12 @@ setgroups(struct thread *td, struct setgroups_args *uap)
|
||||
crfree(tempcred);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
crfree(tempcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -849,17 +895,20 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
|
||||
ruip = uifind(ruid);
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setreuid(p, oldcred, ruid, euid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
|
||||
ruid != oldcred->cr_svuid) ||
|
||||
(euid != (uid_t)-1 && euid != oldcred->cr_uid &&
|
||||
euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) &&
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
uifree(ruip);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
|
||||
change_euid(newcred, euip);
|
||||
@ -880,6 +929,13 @@ setreuid(register struct thread *td, struct setreuid_args *uap)
|
||||
uifree(euip);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
uifree(ruip);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
@ -905,15 +961,19 @@ setregid(register struct thread *td, struct setregid_args *uap)
|
||||
newcred = crget();
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setregid(p, oldcred, rgid, egid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
|
||||
rgid != oldcred->cr_svgid) ||
|
||||
(egid != (gid_t)-1 && egid != oldcred->cr_groups[0] &&
|
||||
egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) &&
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
|
||||
@ -933,6 +993,11 @@ setregid(register struct thread *td, struct setregid_args *uap)
|
||||
PROC_UNLOCK(p);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -968,6 +1033,13 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
|
||||
ruip = uifind(ruid);
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid &&
|
||||
ruid != oldcred->cr_svuid &&
|
||||
ruid != oldcred->cr_uid) ||
|
||||
@ -977,13 +1049,8 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
|
||||
(suid != (uid_t)-1 && suid != oldcred->cr_ruid &&
|
||||
suid != oldcred->cr_svuid &&
|
||||
suid != oldcred->cr_uid)) &&
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
uifree(ruip);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
if (euid != (uid_t)-1 && oldcred->cr_uid != euid) {
|
||||
@ -1004,6 +1071,14 @@ setresuid(register struct thread *td, struct setresuid_args *uap)
|
||||
uifree(euip);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
uifree(ruip);
|
||||
uifree(euip);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1036,6 +1111,13 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
|
||||
newcred = crget();
|
||||
PROC_LOCK(p);
|
||||
oldcred = p->p_ucred;
|
||||
|
||||
#ifdef MAC
|
||||
error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid);
|
||||
if (error)
|
||||
goto fail;
|
||||
#endif
|
||||
|
||||
if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid &&
|
||||
rgid != oldcred->cr_svgid &&
|
||||
rgid != oldcred->cr_groups[0]) ||
|
||||
@ -1045,11 +1127,8 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
|
||||
(sgid != (gid_t)-1 && sgid != oldcred->cr_rgid &&
|
||||
sgid != oldcred->cr_svgid &&
|
||||
sgid != oldcred->cr_groups[0])) &&
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) {
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
(error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0)
|
||||
goto fail;
|
||||
|
||||
crcopy(newcred, oldcred);
|
||||
if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) {
|
||||
@ -1068,6 +1147,11 @@ setresgid(register struct thread *td, struct setresgid_args *uap)
|
||||
PROC_UNLOCK(p);
|
||||
crfree(oldcred);
|
||||
return (0);
|
||||
|
||||
fail:
|
||||
PROC_UNLOCK(p);
|
||||
crfree(newcred);
|
||||
return (error);
|
||||
}
|
||||
|
||||
#ifndef _SYS_SYSPROTO_H_
|
||||
|
||||
@ -330,6 +330,24 @@ int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp);
|
||||
int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp);
|
||||
int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_setuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t uid);
|
||||
int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t euid);
|
||||
int mac_check_proc_setgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t gid);
|
||||
int mac_check_proc_setegid(struct proc *proc, struct ucred *cred,
|
||||
gid_t egid);
|
||||
int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
int ngroups, gid_t *gidset);
|
||||
int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid);
|
||||
int mac_check_proc_setregid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid);
|
||||
int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid, uid_t suid);
|
||||
int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid, gid_t sgid);
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
|
||||
int signum);
|
||||
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
|
||||
|
||||
@ -408,6 +408,20 @@ struct mac_policy_ops {
|
||||
struct proc *proc);
|
||||
int (*mpo_check_proc_sched)(struct ucred *cred,
|
||||
struct proc *proc);
|
||||
int (*mpo_check_proc_setuid)(struct ucred *cred, uid_t uid);
|
||||
int (*mpo_check_proc_seteuid)(struct ucred *cred, uid_t euid);
|
||||
int (*mpo_check_proc_setgid)(struct ucred *cred, gid_t gid);
|
||||
int (*mpo_check_proc_setegid)(struct ucred *cred, gid_t egid);
|
||||
int (*mpo_check_proc_setgroups)(struct ucred *cred, int ngroups,
|
||||
gid_t *gidset);
|
||||
int (*mpo_check_proc_setreuid)(struct ucred *cred, uid_t ruid,
|
||||
uid_t euid);
|
||||
int (*mpo_check_proc_setregid)(struct ucred *cred, gid_t rgid,
|
||||
gid_t egid);
|
||||
int (*mpo_check_proc_setresuid)(struct ucred *cred, uid_t ruid,
|
||||
uid_t euid, uid_t suid);
|
||||
int (*mpo_check_proc_setresgid)(struct ucred *cred, gid_t rgid,
|
||||
gid_t egid, gid_t sgid);
|
||||
int (*mpo_check_proc_signal)(struct ucred *cred,
|
||||
struct proc *proc, int signum);
|
||||
int (*mpo_check_socket_bind)(struct ucred *cred,
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
* Copyright (c) 1999-2002 Robert N. M. Watson
|
||||
* Copyright (c) 2001 Ilmar S. Habibulin
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2005 Samy Al Bahra
|
||||
* All rights reserved.
|
||||
*
|
||||
* This software was developed by Robert Watson and Ilmar Habibulin for the
|
||||
@ -85,6 +86,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW,
|
||||
&mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via "
|
||||
"copy-on-write semantics, or by removing all write access");
|
||||
|
||||
static int mac_enforce_suid = 1;
|
||||
SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW,
|
||||
&mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations");
|
||||
TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid);
|
||||
|
||||
#ifdef MAC_DEBUG
|
||||
static unsigned int nmaccreds, nmacprocs;
|
||||
SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD,
|
||||
@ -513,3 +519,134 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setuid, cred, uid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_seteuid, cred, euid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setgid, cred, gid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setegid, cred, egid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
int ngroups, gid_t *gidset)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setreuid, cred, ruid, euid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
gid_t egid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setregid, cred, rgid, egid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid,
|
||||
uid_t euid, uid_t suid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
int
|
||||
mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid,
|
||||
gid_t egid, gid_t sgid)
|
||||
{
|
||||
int error;
|
||||
|
||||
PROC_LOCK_ASSERT(proc, MA_OWNED);
|
||||
|
||||
if (!mac_enforce_suid)
|
||||
return (0);
|
||||
|
||||
MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid);
|
||||
return (error);
|
||||
}
|
||||
|
||||
@ -841,6 +841,72 @@ stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setuid(struct ucred *cred, uid_t uid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_seteuid(struct ucred *cred, uid_t euid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setgid(struct ucred *cred, gid_t gid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setegid(struct ucred *cred, gid_t egid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setgroups(struct ucred *cred, int ngroups,
|
||||
gid_t *gidset)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
|
||||
uid_t suid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
|
||||
gid_t sgid)
|
||||
{
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
stub_check_socket_bind(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel, struct sockaddr *sockaddr)
|
||||
@ -1341,6 +1407,15 @@ static struct mac_policy_ops mac_stub_ops =
|
||||
.mpo_check_pipe_write = stub_check_pipe_write,
|
||||
.mpo_check_proc_debug = stub_check_proc_debug,
|
||||
.mpo_check_proc_sched = stub_check_proc_sched,
|
||||
.mpo_check_proc_setuid = stub_check_proc_setuid,
|
||||
.mpo_check_proc_seteuid = stub_check_proc_seteuid,
|
||||
.mpo_check_proc_setgid = stub_check_proc_setgid,
|
||||
.mpo_check_proc_setegid = stub_check_proc_setegid,
|
||||
.mpo_check_proc_setgroups = stub_check_proc_setgroups,
|
||||
.mpo_check_proc_setreuid = stub_check_proc_setreuid,
|
||||
.mpo_check_proc_setregid = stub_check_proc_setregid,
|
||||
.mpo_check_proc_setresuid = stub_check_proc_setresuid,
|
||||
.mpo_check_proc_setresgid = stub_check_proc_setresgid,
|
||||
.mpo_check_proc_signal = stub_check_proc_signal,
|
||||
.mpo_check_socket_bind = stub_check_socket_bind,
|
||||
.mpo_check_socket_connect = stub_check_socket_connect,
|
||||
|
||||
@ -1706,6 +1706,90 @@ mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum)
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setuid(struct ucred *cred, uid_t uid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setgid(struct ucred *cred, gid_t gid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setegid(struct ucred *cred, gid_t egid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setgroups(struct ucred *cred, int ngroups,
|
||||
gid_t *gidset)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid,
|
||||
uid_t suid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid,
|
||||
gid_t sgid)
|
||||
{
|
||||
|
||||
ASSERT_CRED_LABEL(cred->cr_label);
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
mac_test_check_socket_bind(struct ucred *cred, struct socket *socket,
|
||||
struct label *socketlabel, struct sockaddr *sockaddr)
|
||||
@ -2357,6 +2441,15 @@ static struct mac_policy_ops mac_test_ops =
|
||||
.mpo_check_pipe_write = mac_test_check_pipe_write,
|
||||
.mpo_check_proc_debug = mac_test_check_proc_debug,
|
||||
.mpo_check_proc_sched = mac_test_check_proc_sched,
|
||||
.mpo_check_proc_setuid = mac_test_check_proc_setuid,
|
||||
.mpo_check_proc_seteuid = mac_test_check_proc_seteuid,
|
||||
.mpo_check_proc_setgid = mac_test_check_proc_setgid,
|
||||
.mpo_check_proc_setegid = mac_test_check_proc_setegid,
|
||||
.mpo_check_proc_setgroups = mac_test_check_proc_setgroups,
|
||||
.mpo_check_proc_setreuid = mac_test_check_proc_setreuid,
|
||||
.mpo_check_proc_setregid = mac_test_check_proc_setregid,
|
||||
.mpo_check_proc_setresuid = mac_test_check_proc_setresuid,
|
||||
.mpo_check_proc_setresgid = mac_test_check_proc_setresgid,
|
||||
.mpo_check_proc_signal = mac_test_check_proc_signal,
|
||||
.mpo_check_socket_bind = mac_test_check_socket_bind,
|
||||
.mpo_check_socket_connect = mac_test_check_socket_connect,
|
||||
|
||||
@ -330,6 +330,24 @@ int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp);
|
||||
int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp);
|
||||
int mac_check_proc_debug(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_sched(struct ucred *cred, struct proc *proc);
|
||||
int mac_check_proc_setuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t uid);
|
||||
int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t euid);
|
||||
int mac_check_proc_setgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t gid);
|
||||
int mac_check_proc_setegid(struct proc *proc, struct ucred *cred,
|
||||
gid_t egid);
|
||||
int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred,
|
||||
int ngroups, gid_t *gidset);
|
||||
int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid);
|
||||
int mac_check_proc_setregid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid);
|
||||
int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred,
|
||||
uid_t ruid, uid_t euid, uid_t suid);
|
||||
int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred,
|
||||
gid_t rgid, gid_t egid, gid_t sgid);
|
||||
int mac_check_proc_signal(struct ucred *cred, struct proc *proc,
|
||||
int signum);
|
||||
int mac_check_socket_bind(struct ucred *cred, struct socket *so,
|
||||
|
||||
@ -408,6 +408,20 @@ struct mac_policy_ops {
|
||||
struct proc *proc);
|
||||
int (*mpo_check_proc_sched)(struct ucred *cred,
|
||||
struct proc *proc);
|
||||
int (*mpo_check_proc_setuid)(struct ucred *cred, uid_t uid);
|
||||
int (*mpo_check_proc_seteuid)(struct ucred *cred, uid_t euid);
|
||||
int (*mpo_check_proc_setgid)(struct ucred *cred, gid_t gid);
|
||||
int (*mpo_check_proc_setegid)(struct ucred *cred, gid_t egid);
|
||||
int (*mpo_check_proc_setgroups)(struct ucred *cred, int ngroups,
|
||||
gid_t *gidset);
|
||||
int (*mpo_check_proc_setreuid)(struct ucred *cred, uid_t ruid,
|
||||
uid_t euid);
|
||||
int (*mpo_check_proc_setregid)(struct ucred *cred, gid_t rgid,
|
||||
gid_t egid);
|
||||
int (*mpo_check_proc_setresuid)(struct ucred *cred, uid_t ruid,
|
||||
uid_t euid, uid_t suid);
|
||||
int (*mpo_check_proc_setresgid)(struct ucred *cred, gid_t rgid,
|
||||
gid_t egid, gid_t sgid);
|
||||
int (*mpo_check_proc_signal)(struct ucred *cred,
|
||||
struct proc *proc, int signum);
|
||||
int (*mpo_check_socket_bind)(struct ucred *cred,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user