#
6bb132ba |
|
15-Apr-2024 |
Brooks Davis <brooks@FreeBSD.org> |
Reduce reliance on sys/sysproto.h pollution Add sys/errno.h, sys/malloc.h, sys/queue.h, and vm/uma.h as needed. sys/sysproto.h currently includes sys/acl.h which currently includes sys/param.h, sys/queue.h, and vm/uma.h which in turn bring in sys/errno.h sys/malloc.h. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D44465
|
#
a1e37beb |
|
05-Jan-2024 |
Olivier Certner <olce@FreeBSD.org> |
cr_bsd_visible(): Style fixes Explicitly test for non-zero return codes. Separate assignment and testing of 'error' in distinct lines. Reviewed by: emaste, kib Approved by: emaste (mentor) MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D43335
|
#
29363fb4 |
|
23-Nov-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove ancient SCCS tags. Remove ancient SCCS tags from the tree, automated scripting, with two minor fixup to keep things compiling. All the common forms in the tree were removed with a perl script. Sponsored by: Netflix
|
#
92541c12 |
|
25-Sep-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
Open-code proc_set_cred_init() This function is to be called only when initializing a new process (so, 'proc0' and at fork), and not in any other circumstances. Setting the process' 'p_ucred' field to the result of crcowget() on the original credentials is the only thing it does, hiding the fact that the process' 'p_ucred' field is crushed by the call. Moreover, most of the code it executes is already encapsulated in crcowget(). To prevent misuse and improve code readability, just remove this function and replace it with a direct assignment to 'p_ucred'. Reviewed by: markj (earlier version), kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D42255
|
#
ffd3ef8e |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
groupmember(), realgroupmember(): Return a bool instead of an int Requested by: mhorne Reviewed by: mhorne MFC after: 2 weeks MFC to: stable/14 releng/14.0 Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40958
|
#
91658080 |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
cr_canseeothergids(): Use real instead of effective group membership Using the effective group and not the real one when testing membership has the consequence that unprivileged processes cannot see setuid commands they launch until these have relinquished their privileges. This is also in contradiction with how the similar cr_canseeotheruids() works, i.e., by taking into account real user IDs. Fix this by substituting groupmember() with realgroupmember(). While here, simplify the code. PR: 272093 Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40642
|
#
2a2bfa6a |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
New realgroupmember() Like groupmember(), but taking into account the real group instead of the effective group. Leverages the new supplementary_group_member() function. Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40641
|
#
b725f232 |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
groupmember(): Extract the supplementary group search in a separate function This is in preparation for the introduction of the new realgroupmember() function, which does the same search into supplementary groups as groupmember(). Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40640
|
#
91e9d669 |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
Make cr_bsd_visible()'s sub-functions internal cr_canseeotheruids(), cr_canseeothergids() and cr_canseejailproc() should not be used directly now. cr_bsd_visible() has to be called instead. Reviewed by: mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40629
|
#
5817169b |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible() As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. PR: 272092 Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628
|
#
e4a7b4f9 |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
New cr_bsd_visible(): Whether BSD policies deny seeing subjects/objects This is a new helper function that leverages existing code: It calls successively cr_canseeotheruids(), cr_canseeothergids() and cr_canseejailproc() (as long as the previous didn't deny access). Will be used in a subsequent commit. Reviewed by: mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40627
|
#
7974ca1c |
|
17-Aug-2023 |
Olivier Certner <olce.freebsd@certner.fr> |
cr_canseejailproc(): New privilege, no direct check for UID 0 Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years). As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies. Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS). Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626
|
#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
7a70f17a |
|
07-Jul-2023 |
Konstantin Belousov <kib@FreeBSD.org> |
killpg(): more carefully avoid LoR otherwise we could end up with the livelock. When pg_killsx trylock failed, ensure that we do wait for lock availability before retry. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week
|
#
ed84cb59 |
|
07-Jul-2023 |
Konstantin Belousov <kib@FreeBSD.org> |
sys_setpgid(): style, remove extra ()s Sponsored by: The FreeBSD Foundation MFC after: 1 week
|
#
3360b485 |
|
12-Jun-2023 |
Konstantin Belousov <kib@FreeBSD.org> |
killpg(2): close a race with fork(2), part1 If the process group member performs fork(), the child could escape signalling from killpg(). Prevent it by introducing an sx process group lock pg_killsx which is taken interruptibly shared around fork. If there is a pending signal, do the trip through userspace with ERESTART to handle signal ASTs. The lock is taken exclusively during killpg(). The lock is also locked exclusive when the process changes group membership, to avoid escaping a signal by this means, by ensuring that the process group is stable during fork. Note that the new lock is before proctree lock, so in some situations we could only do trylocking to obtain it. This relatively simple approach cannot work for REAP_KILL, because process potentially belongs to more than one reaper tree by having sub-reapers. Reported by: dchagin Tested by: dchagin, pho Reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 2 weeks Differential revision: https://reviews.freebsd.org/D40493
|
#
37337709 |
|
22-Mar-2023 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: convert the refcount from int to long On 64-bit platforms this sorts out worries about mitigating bugs which overflow the counter, all while not pessimizng anything -- most notably it avoids whacking per-thread operation in favor of refcount(9) API. The struct already had two instances of 4 byte padding with 256 bytes in size, cr_flags gets moved around to avoid growing it. 32-bit platforms could also get the extended counter, but I did not do it as one day(tm) the mutex protecting centralized operation should be replaced with atomics and 64-bit ops on 32-bit platforms remain quite penalizing. While worries of counter overflow are addressed, the following is not (just like it would not be with conversion to refcount(9)): - counter *underflows* - buffer overruns from adjacent allocations - UAF due to stale cred pointer - .. and other goodies As such, while lipstick was placed, the pig should not be participating in any beauty pageants. Prodded by: emaste Differential Revision: https://reviews.freebsd.org/D39220
|
#
c54d240e |
|
30-Jan-2023 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
kern_prot.c p_candebug(): Remove single-use variable. Reviewed by: allanjude, oshogbo Approved by: allanjude, oshogbo Differential Revision: https://reviews.freebsd.org/D38288
|
#
31d1b816 |
|
28-May-2022 |
Dmitry Chagin <dchagin@FreeBSD.org> |
sysent: Get rid of bogus sys/sysent.h include. Where appropriate hide sysent.h under proper condition. MFC after: 2 weeks
|
#
768f9b8b |
|
09-Apr-2022 |
Gordon Bergling <gbe@FreeBSD.org> |
kern: Fix a typo in a source code comment - s/is is/is/ MFC after: 3 days
|
#
fe6db727 |
|
21-Jan-2022 |
Konstantin Belousov <kib@FreeBSD.org> |
Add security.bsd.allow_ptrace sysctl that disables any access to ptrace(2) for all processes. Reviewed by: emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33986
|
#
55a0aa21 |
|
21-Jan-2022 |
Konstantin Belousov <kib@FreeBSD.org> |
p_candebug(), p_cansee(): always allow for curproc Privilege checks in both functions should allow the current process to infer information about itself, as well as use the interfaces that are proclaimed 'debugging', for instance, procctl(2). Note that in p_cansee() case, explicit comparision of curproc and p avoids a race where the process might change credentials and cause thread to compare its cached stale credentials against updated process creds, effectively disallowing the process to observe itself. Reviewed by: emaste Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D33986
|
#
4bc2174a |
|
09-Jul-2019 |
Moritz Buhl <gh@moritzbuhl.de> |
kern: fail getgroup and setgroup with negative int Found using https://github.com/NetBSD/src/blob/trunk/tests/lib/libc/sys/t_getgroups.c getgroups/setgroups want an int and therefore casting it to u_int resulted in `getgroups(-1, ...)` not returning -1 / errno = EINVAL. imp@ updated syscall.master and made changes markj@ suggested PR: 189941 Tested by: imp@ Reviewed by: markj@ Pull Request: https://github.com/freebsd/freebsd-src/pull/407 Differential Revision: https://reviews.freebsd.org/D30617
|
#
fa2528ac |
|
18-Feb-2021 |
Alex Richardson <arichardson@FreeBSD.org> |
Use atomic loads/stores when updating td->td_state KCSAN complains about racy accesses in the locking code. Those races are fine since they are inside a TD_SET_RUNNING() loop that expects the value to be changed by another CPU. Use relaxed atomic stores/loads to indicate that this variable can be written/read by multiple CPUs at the same time. This will also prevent the compiler from doing unexpected re-ordering. Reported by: GENERIC-KCSAN Test Plan: KCSAN no longer complains, kernel still runs fine. Reviewed By: markj, mjg (earlier version) Differential Revision: https://reviews.freebsd.org/D28569
|
#
ef739c73 |
|
31-Dec-2020 |
Konstantin Belousov <kib@FreeBSD.org> |
pgrp: Prevent use after free. Often, we have a process locked and need to get locked process group. In this case, because progress group lock is before process lock, unlocking process allows the group to be freed. See for instance tty_wait_background(). Make pgrp structures allocated from nofree zone, and ensure type stability of the pgrp mutex. Reviewed by: jilles Tested by: pho MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27871
|
#
0fe74ae6 |
|
26-Dec-2020 |
Jamie Gritton <jamie@FreeBSD.org> |
jail: Consistently handle the pr_allow bitmask Return a boolean (i.e. 0 or 1) from prison_allow, instead of the flag value itself, which is what sysctl expects. Add prison_set_allow(), which can set or clear a permission bit, and propagates cleared bits down to child jails. Use prison_allow() and prison_set_allow() in the various jail.allow.* sysctls, and others that depend on thoe permissions. Add locking around checking both pr_allow and pr_enforce_statfs in prison_priv_check().
|
#
2f5b0b48 |
|
18-Nov-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: fix minor nits in r367695 Noted by: jhb
|
#
f34a2f56 |
|
14-Nov-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
thread: batch credential freeing
|
#
6fed89b1 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
kern: clean up empty lines in .c and .h files
|
#
936c24fa |
|
01-Aug-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: add more asserts for td_realucred == td_ucred
|
#
a2de789e |
|
01-Jul-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: add a prediction to crfree for td->td_realucred == cr This matches crhold and eliminates an assembly maze in the common case.
|
#
1724c563 |
|
09-Jun-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: distribute reference count per thread This avoids dirtying creds in the common case, see the comment in kern_prot.c for details. Reviewed by: kib Differential Revision: https://reviews.freebsd.org/D24007
|
#
5a90435c |
|
24-May-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
proc: refactor clearing credentials into proc_unset_cred
|
#
59838c1a |
|
01-Apr-2020 |
John Baldwin <jhb@FreeBSD.org> |
Retire procfs-based process debugging. Modern debuggers and process tracers use ptrace() rather than procfs for debugging. ptrace() has a supserset of functionality available via procfs and new debugging features are only added to ptrace(). While the two debugging services share some fields in struct proc, they each use dedicated fields and separate code. This results in extra complexity to support a feature that hasn't been enabled in the default install for several years. PR: 244939 (exp-run) Reviewed by: kib, mjg (earlier version) Relnotes: yes Differential Revision: https://reviews.freebsd.org/D23837
|
#
7029da5c |
|
26-Feb-2020 |
Pawel Biernacki <kaktus@FreeBSD.org> |
Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (17 of many) r357614 added CTLFLAG_NEEDGIANT to make it easier to find nodes that are still not MPSAFE (or already are but aren’t properly marked). Use it in preparation for a general review of all nodes. This is non-functional change that adds annotations to SYSCTL_NODE and SYSCTL_PROC nodes using one of the soon-to-be-required flags. Mark all obvious cases as MPSAFE. All entries that haven't been marked as MPSAFE before are by default marked as NEEDGIANT Approved by: kib (mentor, blanket) Commented by: kib, gallatin, melifaro Differential Revision: https://reviews.freebsd.org/D23718
|
#
51871224 |
|
13-Jan-2020 |
Ryan Libby <rlibby@FreeBSD.org> |
malloc: remove assumptions about MINALLOCSIZE Remove assumptions about the minimum MINALLOCSIZE, in order to allow testing of smaller MINALLOCSIZE. A following patch will lower the MINALLOCSIZE, but not so much that the present patch is required for correctness at these sites. Reviewed by: jeff, markj Sponsored by: Dell EMC Isilon
|
#
6f836483 |
|
13-Dec-2019 |
Mateusz Guzik <mjg@FreeBSD.org> |
Remove the useless return value from proc_set_cred
|
#
be2cfdbc |
|
13-Dec-2019 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add kern_getsid() and use it in Linuxulator; no functional changes. Reviewed by: kib MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D22647
|
#
7e097daa |
|
11-Aug-2019 |
Konstantin Belousov <kib@FreeBSD.org> |
Only enable COMPAT_43 changes for syscalls ABI for a.out processes. Reviewed by: imp, jhb Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D21200
|
#
c8124e20 |
|
30-May-2019 |
Dmitry Chagin <dchagin@FreeBSD.org> |
Remove wrong inline keyword. Reported by: markj MFC after: 1 week
|
#
c5afec6e |
|
30-May-2019 |
Dmitry Chagin <dchagin@FreeBSD.org> |
Complete LOCAL_PEERCRED support. Cache pid of the remote process in the struct xucred. Do not bump XUCRED_VERSION as struct layout is not changed. PR: 215202 Reviewed by: tijl MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D20415
|
#
cc426dd3 |
|
11-Dec-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
Remove unused argument to priv_check_cred. Patch mostly generated with cocinnelle: @@ expression E1,E2; @@ - priv_check_cred(E1,E2,0) + priv_check_cred(E1,E2) Sponsored by: The FreeBSD Foundation
|
#
b3079544 |
|
27-Nov-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
In hardened systems, where the security.bsd.unprivileged_proc_debug sysctl node is set, allow setting security.bsd.unprivileged_proc_debug per-jail. In part, this is needed to create jails in which the Address Sanitizer (ASAN) fully works as ASAN utilizes libkvm to inspect the virtual address space. Instead of having to allow unprivileged process debugging for the entire system, allow setting it on a per-jail basis. The sysctl node is still security.bsd.unprivileged_proc_debug and the jail(8) param is allow.unprivileged_proc_debug. The sysctl code is now a sysctl proc rather than a sysctl int. This allows us to determine setting the flag for the corresponding jail (or prison0). As part of the change, the dynamic allow.* API needed to be modified to take into account pr_allow flags which may now be disabled in prison0. This prevents conflicts with new pr_allow flags (like that of vmm(4)) that are added (and removed) dynamically. Also teach the jail creation KPI to allow differences for certain pr_allow flags between the parent and child jail. This can happen when unprivileged process debugging is disabled in the parent prison, but enabled in the child. Submitted by: Shawn Webb <lattera at gmail.com> Obtained from: HardenedBSD (45b3625edba0f73b3e3890b1ec3d0d1e95fd47e1, deba0b5078cef0faae43cbdafed3035b16587afc, ab21eeb3b4c72f2500987c96ff603ccf3b6e7de8) Relnotes: yes Sponsored by: HardenedBSD and G2, Inc Differential Revision: https://reviews.freebsd.org/D18319
|
#
2c054ce9 |
|
16-Nov-2018 |
Mateusz Guzik <mjg@FreeBSD.org> |
proc: always store parent pid in p_oppid Doing so removes the dependency on proctree lock from sysctl process list export which further reduces contention during poudriere -j 128 runs. Reviewed by: kib (previous version) Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17825
|
#
f87beb93 |
|
20-Apr-2018 |
Andriy Gapon <avg@FreeBSD.org> |
call racct_proc_ucred_changed() under the proc lock The lock is required to ensure that the switch to the new credentials and the transfer of the process's accounting data from the old credentials to the new ones is done atomically. Otherwise, some updates may be applied to the new credentials and then additionally transferred from the old credentials if the updates happen after proc_set_cred() and before racct_proc_ucred_changed(). The problem is especially pronounced for RACCT_RSS because - there is a strict accounting for this resource (it's reclaimable) - it's updated asynchronously by the vm daemon - it's updated by setting an absolute value instead of applying a delta I had to remove a call to rctl_proc_ucred_changed() from racct_proc_ucred_changed() and make all callers of latter call the former as well. The reason is that rctl_proc_ucred_changed, as it is implemented now, cannot be called while holding the proc lock, so the lock is dropped after calling racct_proc_ucred_changed. Additionally, I've added calls to crhold / crfree around the rctl call, because without the proc lock there is no gurantee that the new credentials, owned by the process, will stay stable. That does not eliminate a possibility that the credentials passed to the rctl will get stale. Ideally, rctl_proc_ucred_changed should be able to work under the proc lock. Many thanks to kib for pointing out the above problems. PR: 222027 Discussed with: kib No comment: trasz MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D15048
|
#
6469bdcd |
|
06-Apr-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Move most of the contents of opt_compat.h to opt_global.h. opt_compat.h is mentioned in nearly 180 files. In-progress network driver compabibility improvements may add over 100 more so this is closer to "just about everywhere" than "only some files" per the guidance in sys/conf/options. Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of sys/compat/linux/*.c. A fake _COMPAT_LINUX option ensure opt_compat.h is created on all architectures. Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the set of compiled files. Reviewed by: kib, cem, jhb, jtl Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14941
|
#
51369649 |
|
20-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point.
|
#
a4aaba3b |
|
23-May-2017 |
Steve Wills <swills@FreeBSD.org> |
Add security.bsd.see_jail_proc Add security.bsd.see_jail_proc sysctl to hide jail processes from non-root users Reviewed by: jamie Approved by: allanjude Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10770
|
#
3e85b721 |
|
16-May-2017 |
Ed Maste <emaste@FreeBSD.org> |
Remove register keyword from sys/ and ANSIfy prototypes A long long time ago the register keyword told the compiler to store the corresponding variable in a CPU register, but it is not relevant for any compiler used in the FreeBSD world today. ANSIfy related prototypes while here. Reviewed by: cem, jhb Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D10193
|
#
543b2f42 |
|
24-Jan-2017 |
Mateusz Guzik <mjg@FreeBSD.org> |
proc: perform a lockless check in sys_issetugid Discussed with: kib MFC after: 1 week
|
#
69a28758 |
|
15-Sep-2016 |
Ed Maste <emaste@FreeBSD.org> |
Renumber license clauses in sys/kern to avoid skipping #3
|
#
70a98c11 |
|
20-Aug-2016 |
Robert Watson <rwatson@FreeBSD.org> |
Audit the accepted (or rejected) username argument to setlogin(2). (NB: This was likely a mismerge from XNU in audit support, where the text argument to setlogin(2) is captured -- but as a text token, whereas this change uses the dedicated login-name field in struct audit_record.) MFC after: 2 weeks Sponsored by: DARPA, AFRL
|
#
4ac21b4f |
|
27-Jul-2016 |
Stephen J. Kiernan <stevek@FreeBSD.org> |
Prepare for network stack as a module - Move cr_canseeinpcb to sys/netinet/in_prot.c in order to separate the INET and INET6-specific code from the rest of the prot code (It is only used by the network stack, so it makes sense for it to live with the other network stack code.) - Move cr_canseeinpcb prototype from sys/systm.h to netinet/in_systm.h - Rename cr_seeotheruids to cr_canseeotheruids and cr_seeothergids to cr_canseeothergids, make them non-static, and add prototypes (so they can be seen/called by in_prot.c functions.) - Remove sw_csum variable from ip6_forward in ip6_forward.c, as it is an unused variable. Reviewed by: gnn, jtl Approved by: sjg (mentor) Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D2901
|
#
e3043798 |
|
29-Apr-2016 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys/kern: spelling fixes in comments. No functional change.
|
#
c8358c6e |
|
14-Jan-2016 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Call crextend() before copying old credentials to the new credentials and replace crcopysafe by crcopy as crcopysafe is is not intended to be safe in a threaded environment, it drops PROC_LOCK() in while() that can lead to unexpected results, such as overwrite kernel memory. In my POV crcopysafe() needs special attention. For now I do not see any problems with this function, but who knows. Submitted by: dchagin Found by: trinity Security: SA-16:04.linux
|
#
cd672ca6 |
|
16-Jul-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
Get rid of lim_update_thread and cred_update_thread. Their primary use was in thread_cow_update to free up old resources. Freeing had to be done with proc lock held and _cow_ funcs already knew how to free old structs.
|
#
4ea6a9a2 |
|
10-Jun-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
Generalised support for copy-on-write structures shared by threads. Thread credentials are maintained as follows: each thread has a pointer to creds and a reference on them. The pointer is compared with proc's creds on userspace<->kernel boundary and updated if needed. This patch introduces a counter which can be compared instead, so that more structures can use this scheme without adding more comparisons on the boundary.
|
#
ffb34484 |
|
21-Mar-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: add proc_set_cred_init helper proc_set_cred_init can be used to set first credentials of a new process. Update proc_set_cred assertions so that it only expects already used processes. This fixes panics where p_ucred of a new process happens to be non-NULL. Reviewed by: kib
|
#
daf63fd2 |
|
15-Mar-2015 |
Mateusz Guzik <mjg@FreeBSD.org> |
cred: add proc_set_cred helper The goal here is to provide one place altering process credentials. This eases debugging and opens up posibilities to do additional work when such an action is performed.
|
#
677258f7 |
|
18-Jan-2015 |
Konstantin Belousov <kib@FreeBSD.org> |
Add procctl(2) PROC_TRACE_CTL command to enable or disable debugger attachment to the process. Note that the command is not intended to be a security measure, rather it is an obfuscation feature, implemented for parity with other operating systems. Discussed with: jilles, rwatson Man page fixes by: rwatson Sponsored by: The FreeBSD Foundation MFC after: 1 week
|
#
a99500a9 |
|
04-Nov-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Extend struct ucred with group table. This saves one malloc + free with typical cases and better utilizes memory. Submitted by: Tiwei Bie <btw mail.ustc.edu.cn> (slightly modified) X-Additional: JuniorJobs project
|
#
bccb6d5a |
|
04-Nov-2014 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2). [SA-14:26] Fix remote command execution in ftp(1). Approved by: so (des)
|
#
b9063886 |
|
26-Oct-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Fix up an assertion in kern_setgroups, it should compare with ngroups_max + 1 Bug introdued in r273685. Noted by: Tiwei Bie <btw mail.ustc.edu.cn>
|
#
7e9a456a |
|
26-Oct-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Tidy up sys_setgroups and kern_setgroups. - 'groups' initialization to NULL is always ovewrwriten before use, so plug it - get rid of 'goto out' - kern_setgroups's callers already validate ngrp, so only assert the condition - ngrp is an u_int, so 'ngrp < 1' is more readable as 'ngrp == 0' No functional changes.
|
#
92b064f4 |
|
25-Oct-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Use a temporary buffer in sys_setgroups for requests with <= XU_NGROUPS groups. Submitted by: Tiwei Bie <btw mail.ustc.edu.cn> X-Additional: JuniorJobs project MFC after: 2 weeks
|
#
07b384cb |
|
21-Oct-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Eliminate unnecessary memory allocation in sys_getgroups and its ibcs2 counterpart.
|
#
25108069 |
|
04-Oct-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Get rid of crshared.
|
#
abd386ba |
|
24-Aug-2014 |
Mateusz Guzik <mjg@FreeBSD.org> |
Fix getppid for traced processes. Traced processes always have the tracer set as the parent. Utilize proc_realparent to obtain the right process when needed. Reviewed by: kib MFC after: 1 week
|
#
6f0a5dea |
|
14-Nov-2012 |
Baptiste Daroussin <bapt@FreeBSD.org> |
Style fix MFC after: 1 day
|
#
6f68699f |
|
14-Nov-2012 |
Baptiste Daroussin <bapt@FreeBSD.org> |
return ERANGE if the buffer is too small to contain the login as documented in the manpage Reviewed by: cognet, kib MFC after: 1 month
|
#
ca54e1ae |
|
08-Jan-2012 |
Hiroki Sato <hrs@FreeBSD.org> |
Fix a typo. (s/nessesary/necessary/)
|
#
8451d0dd |
|
16-Sep-2011 |
Kip Macy <kmacy@FreeBSD.org> |
In order to maximize the re-usability of kernel code in user space this patch modifies makesyscalls.sh to prefix all of the non-compatibility calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel entry points and all places in the code that use them. It also fixes an additional name space collision between the kernel function psignal and the libc function of the same name by renaming the kernel psignal kern_psignal(). By introducing this change now we will ease future MFCs that change syscalls. Reviewed by: rwatson Approved by: re (bz)
|
#
e4dcb704 |
|
31-Mar-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Notify racct when process credentials change. Sponsored by: The FreeBSD Foundation Reviewed by: kib (earlier version)
|
#
2bfc50bc |
|
04-Mar-2011 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Add two new system calls, setloginclass(2) and getloginclass(2). This makes it possible for the kernel to track login class the process is assigned to, which is required for RCTL. This change also make setusercontext(3) call setloginclass(2) and makes it possible to retrieve current login class using id(1). Reviewed by: kib (as part of a larger patch)
|
#
de5b1952 |
|
25-Feb-2011 |
Alexander Leidinger <netchild@FreeBSD.org> |
Add some FEATURE macros for various features (AUDIT/CAM/IPC/KTR/MAC/NFS/NTP/ PMC/SYSV/...). No FreeBSD version bump, the userland application to query the features will be committed last and can serve as an indication of the availablility if needed. Sponsored by: Google Summer of Code 2010 Submitted by: kibab Reviewed by: arch@ (parts by rwatson, trasz, jhb) X-MFC after: to be determined in last commit with code from this project
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
1a996ed1 |
|
18-Jul-2010 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
Revert r210225 - turns out I was wrong; the "/*-" is not license-only thing; it's also used to indicate that the comment should not be automatically rewrapped. Explained by: cperciva@
|
#
805cc58a |
|
18-Jul-2010 |
Edward Tomasz Napierala <trasz@FreeBSD.org> |
The "/*-" comment marker is supposed to denote copyrights. Remove non-copyright occurences from sys/sys/ and sys/kern/.
|
#
3c48c089 |
|
24-Feb-2010 |
Brooks Davis <brooks@FreeBSD.org> |
MFC r202143,202163,202341,202342,204278 Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to somewhere in the neighborhood of INT_MAX/4 one a system with sufficent RAM and memory bandwidth. Given that the Windows group limit is 1024, this range should be sufficient for most applications r202342: Only allocate the space we need before calling kern_getgroups instead of allocating what ever the user asks for up to "ngroups_max + 1". On systems with large values of kern.ngroups this will be more efficient. The now redundant check that the array is large enough in kern_getgroups() is deliberate to allow this change to be merged to stable/8 without breaking potential third party consumers of the API.
|
#
9126964c |
|
15-Jan-2010 |
Brooks Davis <brooks@FreeBSD.org> |
Only allocate the space we need before calling kern_getgroups instead of allocating what ever the user asks for up to "ngroups_max + 1". On systems with large values of kern.ngroups this will be more efficient. The now redundant check that the array is large enough in kern_getgroups() is deliberate to allow this change to be merged to stable/8 without breaking potential third party consumers of the API. Reported by: bde MFC after: 28 days
|
#
412f9500 |
|
12-Jan-2010 |
Brooks Davis <brooks@FreeBSD.org> |
Replace the static NGROUPS=NGROUPS_MAX+1=1024 with a dynamic kern.ngroups+1. kern.ngroups can range from NGROUPS_MAX=1023 to INT_MAX-1. Given that the Windows group limit is 1024, this range should be sufficient for most applications. MFC after: 1 month
|
#
7afcbc18 |
|
17-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove the interim vimage containers, struct vimage and struct procg, and the ioctl-based interface that supported them. Approved by: re (kib), bz (mentor)
|
#
9dce97d7 |
|
08-Jul-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Remove crcopy call from seteuid now that it calls crcopysafe. Reviewed by: brooks Approved by: re (kib), bz (mentor)
|
#
14961ba7 |
|
27-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Replace AUDIT_ARG() with variable argument macros with a set more more specific macros for each audit argument type. This makes it easier to follow call-graphs, especially for automated analysis tools (such as fxr). In MFC, we should leave the existing AUDIT_ARG() macros as they may be used by third-party kernel modules. Suggested by: brooks Approved by: re (kib) Obtained from: TrustedBSD Project MFC after: 1 week
|
#
7f92e578 |
|
20-Jun-2009 |
Brooks Davis <brooks@FreeBSD.org> |
Change crsetgroups_locked() (called by crsetgroups()) to sort the supplemental groups using insertion sort. Use this property in groupmember() to let us use a binary search instead of the previous linear search.
|
#
838d9858 |
|
19-Jun-2009 |
Brooks Davis <brooks@FreeBSD.org> |
Rework the credential code to support larger values of NGROUPS and NGROUPS_MAX, eliminate ABI dependencies on them, and raise the to 1024 and 1023 respectively. (Previously they were equal, but under a close reading of POSIX, NGROUPS_MAX was defined to be too large by 1 since it is the number of supplemental groups, not total number of groups.) The bulk of the change consists of converting the struct ucred member cr_groups from a static array to a pointer. Do the equivalent in kinfo_proc. Introduce new interfaces crcopysafe() and crsetgroups() for duplicating a process credential before modifying it and for setting group lists respectively. Both interfaces take care for the details of allocating groups array. crsetgroups() takes care of truncating the group list to the current maximum (NGROUPS) if necessary. In the future, crsetgroups() may be responsible for insuring invariants such as sorting the supplemental groups to allow groupmember() to be implemented as a binary search. Because we can not change struct xucred without breaking application ABIs, we leave it alone and introduce a new XU_NGROUPS value which is always 16 and is to be used or NGRPS as appropriate for things such as NFS which need to use no more than 16 groups. When feasible, truncate the group list rather than generating an error. Minor changes: - Reduce the number of hand rolled versions of groupmember(). - Do not assign to both cr_gid and cr_groups[0]. - Modify ipfw to cache ucreds instead of part of their contents since they are immutable once referenced by more than one entity. Submitted by: Isilon Systems (initial implementation) X-MFC after: never PR: bin/113398 kern/133867
|
#
bcf11e8d |
|
05-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC and used in a large number of files, but also because an increasing number of incorrect uses of MAC calls were sneaking in due to copy-and-paste of MAC-aware code without the associated opt_mac.h include. Discussed with: pjd
|
#
f93bfb23 |
|
02-Jun-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Add internal 'mac_policy_count' counter to the MAC Framework, which is a count of the number of registered policies. Rather than unconditionally locking sockets before passing them into MAC, lock them in the MAC entry points only if mac_policy_count is non-zero. This avoids locking overhead for a number of socket system calls when no policies are registered, eliminating measurable overhead for the MAC Framework for the socket subsystem when there are no active policies. Possibly socket locks should be acquired by policies if they are required for socket labels, which would further avoid locking overhead when there are policies but they don't require labeling of sockets, or possibly don't even implement socket controls. Obtained from: TrustedBSD Project
|
#
feb08d06 |
|
30-May-2009 |
Marko Zec <zec@FreeBSD.org> |
Introduce an interm userland-kernel API for creating vnets and assigning ifnets from one vnet to another. Deletion of vnets is not yet supported. The interface is implemented as an ioctl extension so that no syscalls had to be introduced. This should be acceptable given that the new interface will be used for a short / interim period only, until the new jail management framwork gains the capability of managing vnets. This method for managing vimages / vnets has been in use for the past 7 years without any observable issues. The userland tool to be used in conjunction with the interim API can be found in p4: //depot/projects/vimage-commit2/src/usr.sbin/vimage/... and will most probably never get commited to svn. While here, bump copyright notices in kern_vimage.c and vimage.h to cover work done in year 2009. Approved by: julian (mentor) Discussed with: bz, rwatson
|
#
0304c731 |
|
27-May-2009 |
Jamie Gritton <jamie@FreeBSD.org> |
Add hierarchical jails. A jail may further virtualize its environment by creating a child jail, which is visible to that jail and to any parent jails. Child jails may be restricted more than their parents, but never less. Jail names reflect this hierarchy, being MIB-style dot-separated strings. Every thread now points to a jail, the default being prison0, which contains information about the physical system. Prison0's root directory is the same as rootvnode; its hostname is the same as the global hostname, and its securelevel replaces the global securelevel. Note that the variable "securelevel" has actually gone away, which should not cause any problems for code that properly uses securelevel_gt() and securelevel_ge(). Some jail-related permissions that were kept in global variables and set via sysctls are now per-jail settings. The sysctls still exist for backward compatibility, used only by the now-deprecated jail(2) system call. Approved by: bz (mentor)
|
#
29b02909 |
|
08-May-2009 |
Marko Zec <zec@FreeBSD.org> |
Introduce a new virtualization container, provisionally named vprocg, to hold virtualized instances of hostname and domainname, as well as a new top-level virtualization struct vimage, which holds pointers to struct vnet and struct vprocg. Struct vprocg is likely to become replaced in the near future with a new jail management API import. As a consequence of this change, change struct ucred to point to a struct vimage, instead of directly pointing to a vnet. Merge vnet / vimage / ucred refcounting infrastructure from p4 / vimage branch. Permit kldload / kldunload operations to be executed only from the default vimage context. This change should have no functional impact on nooptions VIMAGE kernel builds. Reviewed by: bz Approved by: julian (mentor)
|
#
6f6174a7 |
|
08-Mar-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Improve the consistency of MAC Framework and MAC policy entry point naming by renaming certain "proc" entry points to "cred" entry points, reflecting their manipulation of credentials. For some entry points, the process was passed into the framework but not into policies; in these cases, stop passing in the process since we don't need it. mac_proc_check_setaudit -> mac_cred_check_setaudit mac_proc_check_setaudit_addr -> mac_cred_check_setaudit_addr mac_proc_check_setauid -> mac_cred_check_setauid mac_proc_check_setegid -> mac_cred_check_setegid mac_proc_check_seteuid -> mac_cred_check_seteuid mac_proc_check_setgid -> mac_cred_check_setgid mac_proc_check_setgroups -> mac_cred_ceck_setgroups mac_proc_check_setregid -> mac_cred_check_setregid mac_proc_check_setresgid -> mac_cred_check_setresgid mac_proc_check_setresuid -> mac_cred_check_setresuid mac_proc_check_setreuid -> mac_cred_check_setreuid mac_proc_check_setuid -> mac_cred_check_setuid Obtained from: TrustedBSD Project Sponsored by: Google, Inc.
|
#
af80b2c9 |
|
11-Dec-2008 |
Konstantin Belousov <kib@FreeBSD.org> |
The userland_sysctl() function retries sysctl_root() until returned error is not EAGAIN. Several sysctls that inspect another process use p_candebug() for checking access right for the curproc. p_candebug() returns EAGAIN for some reasons, in particular, for the process doing exec() now. If execing process tries to lock Giant, we get a livelock, because sysctl handlers are covered by Giant, and often do not sleep. Break the livelock by dropping Giant and allowing other threads to execute in the EAGAIN loop. Also, do not return EAGAIN from p_candebug() when process is executing, use more appropriate EBUSY error [1]. Reported and tested by: pho Suggested by: rwatson [1] Reviewed by: rwatson, des MFC after: 1 week
|
#
1ede983c |
|
23-Oct-2008 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Retire the MALLOC and FREE macros. They are an abomination unto style(9). MFC after: 3 months
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
f08ef6c5 |
|
17-Oct-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add cr_canseeinpcb() doing checks using the cached socket credentials from inp_cred which is also available after the socket is gone. Switch cr_canseesocket consumers to cr_canseeinpcb. This removes an extra acquisition of the socket lock. Reviewed by: rwatson MFC after: 3 months (set timer; decide then)
|
#
30d239bc |
|
24-Oct-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Merge first in a series of TrustedBSD MAC Framework KPI changes from Mac OS X Leopard--rationalize naming for entry points to the following general forms: mac_<object>_<method/action> mac_<object>_check_<method/action> The previous naming scheme was inconsistent and mostly reversed from the new scheme. Also, make object types more consistent and remove spaces from object types that contain multiple parts ("posix_sem" -> "posixsem") to make mechanical parsing easier. Introduce a new "netinet" object type for certain IPv4/IPv6-related methods. Also simplify, slightly, some entry point names. All MAC policy modules will need to be recompiled, and modules not updates as part of this commit will need to be modified to conform to the new KPI. Sponsored by: SPARTA (original patches against Mac OS X) Obtained from: TrustedBSD Project, Apple Computer
|
#
32f9753c |
|
11-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Eliminate now-unused SUSER_ALLOWJAIL arguments to priv_check_cred(); in some cases, move to priv_check() if it was an operation on a thread and no other flags were present. Eliminate caller-side jail exception checking (also now-unused); jail privilege exception code now goes solely in kern_jail.c. We can't yet eliminate suser() due to some cases in the KAME code where a privilege check is performed and then used in many different deferred paths. Do, however, move those prototypes to priv.h. Reviewed by: csjp Obtained from: TrustedBSD Project
|
#
faef5371 |
|
07-Jun-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Move per-process audit state from a pointer in the proc structure to embedded storage in struct ucred. This allows audit state to be cached with the thread, avoiding locking operations with each system call, and makes it available in asynchronous execution contexts, such as deep in the network stack or VFS. Reviewed by: csjp Approved by: re (kensmith) Obtained from: TrustedBSD Project
|
#
873fbcd7 |
|
05-Mar-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Further system call comment cleanup: - Remove also "MP SAFE" after prior "MPSAFE" pass. (suggested by bde) - Remove extra blank lines in some cases. - Add extra blank lines in some cases. - Remove no-op comments consisting solely of the function name, the word "syscall", or the system call name. - Add punctuation. - Re-wrap some comments.
|
#
0c14ff0e |
|
04-Mar-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Remove 'MPSAFE' annotations from the comments above most system calls: all system calls now enter without Giant held, and then in some cases, acquire Giant explicitly. Remove a number of other MPSAFE annotations in the credential code and tweak one or two other adjacent comments.
|
#
ef08c420 |
|
08-Jan-2007 |
Robert Watson <rwatson@FreeBSD.org> |
Sort copyrights together. MFC after: 3 days
|
#
800c9408 |
|
06-Nov-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new priv(9) kernel interface for checking the availability of privilege for threads and credentials. Unlike the existing suser(9) interface, priv(9) exposes a named privilege identifier to the privilege checking code, allowing more complex policies regarding the granting of privilege to be expressed. Two interfaces are provided, replacing the existing suser(9) interface: suser(td) -> priv_check(td, priv) suser_cred(cred, flags) -> priv_check_cred(cred, priv, flags) A comprehensive list of currently available kernel privileges may be found in priv.h. New privileges are easily added as required, but the comments on adding privileges found in priv.h and priv(9) should be read before doing so. The new privilege interface exposed sufficient information to the privilege checking routine that it will now be possible for jail to determine whether a particular privilege is granted in the check routine, rather than relying on hints from the calling context via the SUSER_ALLOWJAIL flag. For now, the flag is maintained, but a new jail check function, prison_priv_check(), is exposed from kern_jail.c and used by the privilege check routine to determine if the privilege is permitted in jail. As a result, a centralized list of privileges permitted in jail is now present in kern_jail.c. The MAC Framework is now also able to instrument privilege checks, both to deny privileges otherwise granted (mac_priv_check()), and to grant privileges otherwise denied (mac_priv_grant()), permitting MAC Policy modules to implement privilege models, as well as control a much broader range of system behavior in order to constrain processes running with root privilege. The suser() and suser_cred() functions remain implemented, now in terms of priv_check() and the PRIV_ROOT privilege, for use during the transition and possibly continuing use by third party kernel modules that have not been updated. The PRIV_DRIVER privilege exists to allow device drivers to check privilege without adopting a more specific privilege identifier. This change does not modify the actual security policy, rather, it modifies the interface for privilege checks so changes to the security policy become more feasible. Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
aed55708 |
|
22-Oct-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h begun with a repo-copy of mac.h to mac_framework.h. sys/mac.h now contains the userspace and user<->kernel API and definitions, with all in-kernel interfaces moved to mac_framework.h, which is now included across most of the kernel instead. This change is the first step in a larger cleanup and sweep of MAC Framework interfaces in the kernel, and will not be MFC'd. Obtained from: TrustedBSD Project Sponsored by: SPARTA
|
#
5702e096 |
|
17-Sep-2006 |
Robert Watson <rwatson@FreeBSD.org> |
Declare security and security.bsd sysctl hierarchies in sysctl.h along with other commonly used sysctl name spaces, rather than declaring them all over the place. MFC after: 1 month Sponsored by: nCircle Network Security, Inc.
|
#
3cb83e71 |
|
06-Jul-2006 |
John Baldwin <jhb@FreeBSD.org> |
Add kern_setgroups() and kern_getgroups() and use them to implement ibcs2_[gs]etgroups() rather than using the stackgap. This also makes ibcs2_[gs]etgroups() MPSAFE. Also, it cleans up one bit of weirdness in the old setgroups() where it allocated an entire credential just so it had a place to copy the group list into. Now setgroups just allocates a NGROUPS_MAX array on the stack that it copies into and then passes to kern_setgroups().
|
#
2f8a46d5 |
|
05-Feb-2006 |
Wayne Salamon <wsalamon@FreeBSD.org> |
Audit the arguments (user/group IDs) for the system calls that set these IDs. Obtained from: TrustedBSD Project Approved by: rwatson (mentor)
|
#
7e9e371f |
|
27-Sep-2005 |
John Baldwin <jhb@FreeBSD.org> |
Use the refcount API to manage the reference count for user credentials rather than using pool mutexes. Tested on: i386, alpha, sparc64
|
#
babe9a2b |
|
18-Apr-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce p_canwait() and MAC Framework and MAC Policy entry points mac_check_proc_wait(), which control the ability to wait4() specific processes. This permits MAC policies to limit information flow from children that have changed label, although has to be handled carefully due to common programming expectations regarding the behavior of wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for this reason. The mac_stub and mac_test policies are updated to reflect these new entry points. Sponsored by: SPAWAR, SPARTA Obtained from: TrustedBSD Project
|
#
030a28b3 |
|
16-Apr-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce new MAC Framework and MAC Policy entry points to control the use of system calls to manipulate elements of the process credential, including: setuid() mac_check_proc_setuid() seteuid() mac_check_proc_seteuid() setgid() mac_check_proc_setgid() setegid() mac_check_proc_setegid() setgroups() mac_check_proc_setgroups() setreuid() mac_check_proc_setreuid() setregid() mac_check_proc_setregid() setresuid() mac_check_proc_setresuid() setresgid() mac_check_rpoc_setresgid() MAC checks are performed before other existing security checks; both current credential and intended modifications are passed as arguments to the entry points. The mac_test and mac_stub policies are updated. Submitted by: Samy Al Bahra <samy@kerneled.org> Obtained from: TrustedBSD Project
|
#
2322a0a7 |
|
18-Mar-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Impose the upper limit on signals that are allowed between kernel threads in set[ug]id program for compatibility with Linux. Linuxthreads uses 4 signals from SIGRTMIN to SIGRTMIN+3. Pointed out by: rwatson
|
#
f9cd63d4 |
|
18-Mar-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Linuxthreads uses not only signal 32 but several signals >= 32. PR: kern/72922 Submitted by: Andriy Gapon <avg@icyb.net.ua>
|
#
4b178336 |
|
03-Mar-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
In linux emulation layer try to detect attempt to use linux_clone() to create kernel threads and call rfork(2) with RFTHREAD flag set in this case, which puts parent and child into the same threading group. As a result all threads that belong to the same program end up in the same threading group. This is similar to what linuxthreads port does, though in this case we don't have a luxury of having access to the source code and there is no definite way to differentiate linux_clone() called for threading purposes from other uses, so that we have to resort to heuristics. Allow SIGTHR to be delivered between all processes in the same threading group previously it has been blocked for s[ug]id processes. This also should improve locking of the same file descriptor from different threads in programs running under linux compat layer. PR: kern/72922 Reported by: Andriy Gapon <avg@icyb.net.ua> Idea suggested by: rwatson
|
#
f460d056 |
|
13-Feb-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Backout addition of SIGTHR into the list of signals allowed to be delivered to the suid/sugid process, since apparently it has security implications. Suggested by: rwatson
|
#
1a88a252 |
|
13-Feb-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Backout previous change (disabling of security checks for signals delivered in emulation layers), since it appears to be too broad. Requested by: rwatson
|
#
d8ff44b7 |
|
13-Feb-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Split out kill(2) syscall service routine into user-level and kernel part, the former is callable from user space and the latter from the kernel one. Make kernel version take additional argument which tells if the respective call should check for additional restrictions for sending signals to suid/sugid applications or not. Make all emulation layers using non-checked version, since signal numbers in emulation layers can have different meaning that in native mode and such protection can cause misbehaviour. As a result remove LIBTHR from the signals allowed to be delivered to a suid/sugid application. Requested (sorta) by: rwatson MFC after: 2 weeks
|
#
ac16ff40 |
|
11-Feb-2005 |
Maxim Sobolev <sobomax@FreeBSD.org> |
Add SIGTHR (32) into list of signals permitted to be delivered to the suid application. The problem is that Linux applications using old Linux threads (pre-NPTL) use signal 32 (linux SIGRTMIN) for communication between thread-processes. If such an linux application is installed suid or sgid and security.bsd.conservative_signals=1 (default), then permission will be denied to send such a signal and the application will freeze. I believe the same will be true for native applications that use libthr, since libthr uses SIGTHR for implementing conditional variables. PR: 72922 Submitted by: Andriy Gapon <avg@icyb.net.ua> MFC after: 2 weeks
|
#
471135a3 |
|
23-Jan-2005 |
Robert Watson <rwatson@FreeBSD.org> |
Style cleanup: with removal of mutex operations, we can also remove {}'s from securelevel_gt() and securelevel_ge(). MFC after: 1 week
|
#
0b880542 |
|
23-Jan-2005 |
Robert Watson <rwatson@FreeBSD.org> |
When reading pr_securelevel from a prison, perform a lockless read, as it's an integer read operation and the resulting slight race is acceptable. MFC after: 1 week
|
#
9454b2d8 |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for copyright notices, minor format tweaks as necessary
|
#
99e9dcb8 |
|
31-Aug-2004 |
Julian Elischer <julian@FreeBSD.org> |
Remove sched_free_thread() which was only used in diagnostics. It has outlived its usefulness and has started causing panics for people who turn on DIAGNOSTIC, in what is otherwise good code. MFC after: 2 days
|
#
56f21b9d |
|
26-Jul-2004 |
Colin Percival <cperciva@FreeBSD.org> |
Rename suser_cred()'s PRISON_ROOT flag to SUSER_ALLOWJAIL. This is somewhat clearer, but more importantly allows for a consistent naming scheme for suser_cred flags. The old name is still defined, but will be removed in a few days (unless I hear any complaints...) Discussed with: rwatson, scottl Requested by: jhb
|
#
71a057bc |
|
22-Jul-2004 |
Robert Watson <rwatson@FreeBSD.org> |
In setpgid(), since td is passed in as a system call argument, use it in preference to curthread, which costs slightly more.
|
#
df04411a |
|
22-Jul-2004 |
Robert Watson <rwatson@FreeBSD.org> |
suser() accepts a thread argument; as suser() dereferences td_ucred, a thread-local pointer, in practice that thread needs to be curthread. If we're running with INVARIANTS, generate a warning if not. If we have KDB compiled in, generate a stack trace. This doesn't fire at all in my local test environment, but could be irritating if it fires frequently for someone, so there will be motivation to fix things quickly when it does.
|
#
24283cc0 |
|
16-Jul-2004 |
Colin Percival <cperciva@FreeBSD.org> |
Add a SUSER_RUID flag to suser_cred. This flag indicates that we want to check if the *real* user is the superuser (vs. the normal behaviour, which checks the effective user). Reviewed by: rwatson
|
#
310e7ceb |
|
12-Jun-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Socket MAC labels so_label and so_peerlabel are now protected by SOCK_LOCK(so): - Hold socket lock over calls to MAC entry points reading or manipulating socket labels. - Assert socket lock in MAC entry point implementations. - When externalizing the socket label, first make a thread-local copy while holding the socket lock, then release the socket lock to externalize to userspace.
|
#
1930e303 |
|
11-Jun-2004 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Deorbit COMPAT_SUNOS. We inherited this from the sparc32 port of BSD4.4-Lite1. We have neither a sparc32 port nor a SunOS4.x compatibility desire these days.
|
#
7f8a436f |
|
05-Apr-2004 |
Warner Losh <imp@FreeBSD.org> |
Remove advertising clause from University of California Regent's license, per letter dated July 22, 1999. Approved by: core
|
#
646e29cc |
|
23-Jan-2004 |
Robert Watson <rwatson@FreeBSD.org> |
Don't grab Giant in crfree(), since prison_free() no longer requires it. The uidinfo code appears to be MPSAFE, and is referenced without Giant elsewhere. While this grab of Giant was only made in fairly rare circumstances (actually GC'ing on refcount==0), grabbing Giant here potentially introduces lock order issues with any locks held by the caller. So this probably won't help performance much unless you change credentials a lot in an application, and leave a lot of file descriptors and cached credentials around. However, it simplifies locking down consumers of the credential interfaces. Bumped into by: sam Appeased: tjr
|
#
56d9e932 |
|
06-Dec-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(), and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
|
#
64d19c2e |
|
17-Nov-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Add a sysctl, security.bsd.see_other_gids, similar in semantics to see_other_uids but with the logical conversion. This is based on (but not identical to) the patch submitted by Samy Al Bahra. Submitted by: Samy Al Bahra <samy@kerneled.com>
|
#
e07c897e |
|
23-Oct-2003 |
John Baldwin <jhb@FreeBSD.org> |
Writes to p_flag in __setugid() no longer need Giant.
|
#
62c45ef4 |
|
14-Sep-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Add a new sysctl, security.bsd.conservative_signals, to disable special signal-delivery protections for setugid processes. In the event that a system is relying on "unusual" signal delivery to processes that change their credentials, this can be used to work around application problems. Also, add SIGALRM to the set of signals permitted to be delivered to setugid processes by unprivileged subjects. Reported by: Joe Greco <jgreco@ns.sol.net>
|
#
857d9c60 |
|
12-Jul-2003 |
Don Lewis <truckman@FreeBSD.org> |
Extend the mutex pool implementation to permit the creation and use of multiple mutex pools with different options and sizes. Mutex pools can be created with either the default sleep mutexes or with spin mutexes. A dynamically created mutex pool can now be destroyed if it is no longer needed. Create two pools by default, one that matches the existing pool that uses the MTX_NOWITNESS option that should be used for building higher level locks, and a new pool with witness checking enabled. Modify the users of the existing mutex pool to use the appropriate pool in the new implementation. Reviewed by: jhb
|
#
a10d5f02 |
|
03-Jul-2003 |
Olivier Houchard <cognet@FreeBSD.org> |
In setpgrp(), don't assume a pgrp won't exist if the provided pgid is the same as the target process' pid, it may exist if the process forked before leaving the pgrp. Thix fixes a panic that happens when calling setpgid to make a process re-enter the pgrp with the same pgid as its pid if the pgrp still exists.
|
#
7f3bfd66 |
|
25-Jun-2003 |
Olivier Houchard <cognet@FreeBSD.org> |
At this point targp will always be NULL, so remove the useless if.
|
#
2bceb0f2 |
|
15-Jun-2003 |
Robert Watson <rwatson@FreeBSD.org> |
Various cr*() calls believed to be MPSAFE, since the uidinfo code is locked down.
|
#
677b542e |
|
10-Jun-2003 |
David E. O'Brien <obrien@FreeBSD.org> |
Use __FBSDID().
|
#
8bccf703 |
|
09-Jun-2003 |
John Baldwin <jhb@FreeBSD.org> |
The issetugid() function is MPSAFE.
|
#
52c3844c |
|
01-May-2003 |
John Baldwin <jhb@FreeBSD.org> |
Remove Giant from the setuid(), seteuid(), setgid(), setegid(), setgroups(), setreuid(), setregid(), setresuid(), and setresgid() syscalls as well as the cred_update_thread() function.
|
#
a70a2b74 |
|
25-Apr-2003 |
John Baldwin <jhb@FreeBSD.org> |
Remove Giant from getpgid() and getsid() and tweak the logic to more closely match that of 4.x.
|
#
a163d034 |
|
18-Feb-2003 |
Warner Losh <imp@FreeBSD.org> |
Back out M_* changes, per decision of the TRB. Approved by: trb
|
#
3749dff3 |
|
09-Feb-2003 |
Jake Burkholder <jake@FreeBSD.org> |
Remove mtx_lock_giant from functions which are mp-safe.
|
#
44956c98 |
|
21-Jan-2003 |
Alfred Perlstein <alfred@FreeBSD.org> |
Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0. Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
|
#
f9d0d524 |
|
01-Aug-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Include file cleanup; mac.h and malloc.h at one point had ordering relationship requirements, and no longer do. Reminded by: bde
|
#
8a1d977d |
|
30-Jul-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce support for Mandatory Access Control and extensible kernel access control. Implement inter-process access control entry points for the MAC framework. This permits policy modules to augment the decision making process for process and socket visibility, process debugging, re-scheduling, and signaling. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
40244964 |
|
30-Jul-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Introduce support for Mandatory Access Control and extensible kernel access control. Invoke the necessary MAC entry points to maintain labels on process credentials. In particular, invoke entry points for the initialization and destruction of struct ucred, the copying of struct ucred, and permit the initial labels to be set for both process 0 (parent of all kernel processes) and process 1 (parent of all user processes). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
aaa1c771 |
|
10-Jul-2002 |
Jonathan Mini <mini@FreeBSD.org> |
Revert removal of cred_free_thread(): It is used to ensure that a thread's credentials are not improperly borrowed when the thread is not current in the kernel. Requested by: jhb, alfred
|
#
7f05b035 |
|
28-Jun-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
More caddr_t removal, make fo_ioctl take a void * instead of a caddr_t.
|
#
01ad8a53 |
|
24-Jun-2002 |
Jonathan Mini <mini@FreeBSD.org> |
Remove unused diagnostic function cread_free_thread(). Approved by: alfred
|
#
1419eacb |
|
19-Jun-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
Squish the "could sleep with process lock" messages caused by calling uifind() with a proc lock held. change_ruid() and change_euid() have been modified to take a uidinfo structure which will be pre-allocated by callers, they will then call uihold() on the uidinfo structure so that the caller's logic is simplified. This allows one to call uifind() before locking the proc struct and thereby avoid a potential blocking allocation with the proc lock held. This may need revisiting, perhaps keeping a spare uidinfo allocated per process to handle this situation or re-examining if the proc lock needs to be held over the entire operation of changing real or effective user id. Submitted by: Don Lewis <dl-freebsd@catspoiler.org>
|
#
f2102dad |
|
18-Jun-2002 |
Alfred Perlstein <alfred@FreeBSD.org> |
setsugid() touches p->p_flag so assert that the proc is locked.
|
#
f44d9e24 |
|
18-May-2002 |
John Baldwin <jhb@FreeBSD.org> |
Change p_can{debug,see,sched,signal}()'s first argument to be a thread pointer instead of a proc pointer and require the process pointed to by the second argument to be locked. We now use the thread ucred reference for the credential checks in p_can*() as a result. p_canfoo() should now no longer need Giant.
|
#
6041fa0a |
|
03-May-2002 |
Seigo Tanimura <tanimura@FreeBSD.org> |
As malloc(9) and free(9) are now Giant-free, remove the Giant lock across malloc(9) and free(9) of a pgrp or a session.
|
#
1c2451c2 |
|
19-Apr-2002 |
Seigo Tanimura <tanimura@FreeBSD.org> |
Push down Giant for setpgid(), setsid() and aio_daemon(). Giant protects only malloc(9) and free(9).
|
#
c8b1829d |
|
16-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
- Lock proctree_lock instead of pgrpsess_lock. - Simplify return logic of setsid() and setpgid().
|
#
07f3485d |
|
13-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
- Change the algorithms of the syscalls to modify process credentials to allocate a blank cred first, lock the process, perform checks on the old process credential, copy the old process credential into the new blank credential, modify the new credential, update the process credential pointer, unlock the process, and cleanup rather than trying to allocate a new credential after performing the checks on the old credential. - Cleanup _setugid() a little bit. - setlogin() doesn't need Giant thanks to pgrp/session locking and td_ucred.
|
#
70499328 |
|
03-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
- Axe a stale comment. We haven't allowed the ucred pointer passed to securelevel_*() to be NULL for a while now. - Use KASSERT() instead of if (foo) panic(); to optimize the !INVARIANTS case. Submitted by: Martin Faxer <gmh003532@brfmasthugget.se>
|
#
44731cab |
|
01-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Change the suser() API to take advantage of td_ucred as well as do a general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag. Discussed on: smp@
|
#
4c44ad8e |
|
01-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Whitespace only change: use ANSI function declarations instead of K&R.
|
#
4269e184 |
|
01-Apr-2002 |
John Baldwin <jhb@FreeBSD.org> |
Fix style bug in previous commit.
|
#
d74ac681 |
|
26-Mar-2002 |
Matthew Dillon <dillon@FreeBSD.org> |
Compromise for critical*()/cpu_critical*() recommit. Cleanup the interrupt disablement assumptions in kern_fork.c by adding another API call, cpu_critical_fork_exit(). Cleanup the td_savecrit field by moving it from MI to MD. Temporarily move cpu_critical*() from <arch>/include/cpufunc.h to <arch>/<arch>/critical.c (stage-2 will clean this up). Implement interrupt deferral for i386 that allows interrupts to remain enabled inside critical sections. This also fixes an IPI interlock bug, and requires uses of icu_lock to be enclosed in a true interrupt disablement. This is the stage-1 commit. Stage-2 will occur after stage-1 has stabilized, and will move cpu_critical*() into its own header file(s) + other things. This commit may break non-i386 architectures in trivial ways. This should be temporary. Reviewed by: core Approved by: core
|
#
d846883b |
|
22-Mar-2002 |
John Baldwin <jhb@FreeBSD.org> |
Use td_ucred in several trivial syscalls and remove Giant locking as appropriate.
|
#
f2ae7368 |
|
22-Mar-2002 |
John Baldwin <jhb@FreeBSD.org> |
Use explicit Giant locks and unlocks for rather than instrumented ones for code that is still not safe. suser() reads p_ucred so it still needs Giant for the time being. This should allow kern.giant.proc to be set to 0 for the time being.
|
#
29dc1288 |
|
22-Mar-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Merge from TrustedBSD MAC branch: Move the network code from using cr_cansee() to check whether a socket is visible to a requesting credential to using a new function, cr_canseesocket(), which accepts a subject credential and object socket. Implement cr_canseesocket() so that it does a prison check, a uid check, and add a comment where shortly a MAC hook will go. This will allow MAC policies to seperately instrument the visibility of sockets from the visibility of processes. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
4584bb39 |
|
22-Mar-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Since cred never appears to be passed into the securelevel calls as NULL, turn warning printf's into panic's, since this call has been restructured such that a NULL cred would result in a page fault anyway. There appears to be one case where NULL is explicitly passed in in the sysctl code, and this is believed to be in error, so will be modified. Securelevels now always require a credential context so that per-jail securelevels are properly implemented. Obtained from: TrustedBSD Project Sponsored by: NAI Labs Discussed with: bde
|
#
1b350b45 |
|
21-Mar-2002 |
Robert Watson <rwatson@FreeBSD.org> |
Break out the "see_other_uids" policy check from the various method-based inter-process security checks. To do this, introduce a new cr_seeotheruids(u1, u2) function, which encapsulates the "see_other_uids" logic. Call out to this policy following the jail security check for all of {debug,sched,see,signal} inter-process checks. This more consistently enforces the check, and makes the check easy to modify. Eventually, it may be that this check should become a MAC policy, loaded via a module. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
c1a513c9 |
|
20-Mar-2002 |
John Baldwin <jhb@FreeBSD.org> |
- Push down Giant into crfree() in the case that we actually free a ucred. - Add a cred_free_thread() function (conditional on DIAGNOSTICS) that drops a per-thread ucred reference to be used in debugging code when leaving the kernel.
|
#
183ccde6 |
|
11-Mar-2002 |
Seigo Tanimura <tanimura@FreeBSD.org> |
Stop abusing the pgrpsess_lock.
|
#
65e3406d |
|
27-Feb-2002 |
John Baldwin <jhb@FreeBSD.org> |
Temporarily lock Giant while we update td_ucred. The proc lock doesn't fully protect p_ucred yet so Giant is needed until all the p_ucred locking is done. This is the original reason td_ucred was not used immediately after its addition. Unfortunately, not using td_ucred is not enough to avoid problems. Since p_ucred could be stale, we could actually be dereferencing a stale pointer to dink with the refcount, so we really need Giant to avoid foot-shooting. This allows td_ucred to be safely used as well.
|
#
2f932587 |
|
27-Feb-2002 |
Seigo Tanimura <tanimura@FreeBSD.org> |
Return ESRCH if the target process is not inferior to the curproc. Spotted by: HIROSHI OOTA <oota@LSi.nec.co.jp>
|
#
76183f34 |
|
26-Feb-2002 |
Dima Dorfman <dd@FreeBSD.org> |
Introduce a version field to `struct xucred' in place of one of the spares (the size of the field was changed from u_short to u_int to reflect what it really ends up being). Accordingly, change users of xucred to set and check this field as appropriate. In the kernel, this is being done inside the new cru2x() routine which takes a `struct ucred' and fills out a `struct xucred' according to the former. This also has the pleasant sideaffect of removing some duplicate code. Reviewed by: rwatson
|
#
f591779b |
|
23-Feb-2002 |
Seigo Tanimura <tanimura@FreeBSD.org> |
Lock struct pgrp, session and sigio. New locks are: - pgrpsess_lock which locks the whole pgrps and sessions, - pg_mtx which protects the pgrp members, and - s_mtx which protects the session members. Please refer to sys/proc.h for the coverage of these locks. Changes on the pgrp/session interface: - pgfind() needs the pgrpsess_lock held. - The caller of enterpgrp() is responsible to allocate a new pgrp and session. - Call enterthispgrp() in order to enter an existing pgrp. - pgsignal() requires a pgrp lock held. Reviewed by: jhb, alfred Tested on: cvsup.jp.FreeBSD.org (which is a quad-CPU machine running -current)
|
#
e1bca29f |
|
17-Feb-2002 |
Matthew Dillon <dillon@FreeBSD.org> |
replace the embedded cr_mtx in the ucred structure with cr_mtxp (a mutex pointer), and use the mutex pool routines. This greatly reduces the size of the ucred structure.
|
#
2eb927e2 |
|
16-Feb-2002 |
Julian Elischer <julian@FreeBSD.org> |
If the credential on an incoming thread is correct, don't bother reaquiring it. In the same vein, don't bother dropping the thread cred when goinf ot userland. We are guaranteed to nned it when we come back, (which we are guaranteed to do). Reviewed by: jhb@freebsd.org, bde@freebsd.org (slightly different version)
|
#
d0615c64 |
|
15-Jan-2002 |
Andrew R. Reiter <arr@FreeBSD.org> |
- Attempt to help declutter kern. sysctl by moving security out from beneath it. Reviewed by: rwatson
|
#
c83f8015 |
|
05-Jan-2002 |
Robert Watson <rwatson@FreeBSD.org> |
- Push much of the logic for p_cansignal() behind cr_cansignal, which authorized based on a subject credential rather than a subject process. This will permit the same logic to be reused in situations where only the credential generating the signal is available, such as in the delivery of SIGIO. - Because of two clauses, the automatic success against curproc, and the session semantics for SIGCONT, not all logic can be pushed into cr_cansignal(), but those cases should not apply for most other consumers of cr_cansignal(). - This brings the base system inter-process authorization code more into line with the MAC implementation. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
5a92ee3c |
|
06-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o A few more minor whitespace and other style fixes. Submitted by: bde
|
#
9147519a |
|
06-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Remove unnecessary inclusion of opt_global.h. Submitted by: bde
|
#
65bbadfb |
|
05-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Make kern.security.bsd.suser_enabled TUNABLE. Requested by: green
|
#
5d476e73 |
|
03-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Update an instance of 'unprivileged_procdebug_permitted' missed in the previous commit: the comment should also call it 'unprivileged_proc_debug'.
|
#
01137630 |
|
03-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce pr_mtx into struct prison, providing protection for the mutable contents of struct prison (hostname, securelevel, refcount, pr_linux, ...) o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/ so as to enforce these protections, in particular, in kern_mib.c protection sysctl access to the hostname and securelevel, as well as kern_prot.c access to the securelevel for access control purposes. o Rewrite linux emulator abstractions for accessing per-jail linux mib entries (osname, osrelease, osversion) so that they don't return a pointer to the text in the struct linux_prison, rather, a copy to an array passed into the calls. Likewise, update linprocfs to use these primitives. o Update in_pcb.c to always use prison_getip() rather than directly accessing struct prison. Reviewed by: jhb
|
#
4f5a4612 |
|
02-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Uniformly copy uap arguments into local variables before grabbing giant, and make whitespace more consistent around giant-frobbing.
|
#
f605567c |
|
02-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Remove KSE race in setuid() in which oldcred was preserved before giant was grabbed. This was introduced in 1.101 when the giant pushdown for kern_prot.c was originally performed.
|
#
eb725b4e |
|
02-Dec-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o General style, formatting, etc, improvements: - uid's -> uids - whitespace improvements, linewrap improvements - reorder copyright more appropriately - remove redundant MP SAFE comments, add one "NOT MPSAFE?" for setgroups(), which seems to be the sole un-changed system call in the file. - clean up securelevel_g?() functions, improve comments. Largely submitted by: bde
|
#
e409590d0 |
|
30-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Further sysctl name simplification, generally stripping 'permitted', using '_'s more consistently. Discussed with: bde, jhb Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
48713bdc |
|
30-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Move current inhabitants of kern.security to kern.security.bsd, so that new models can inhabit kern.security.<modelname>. o While I'm there, shorten somewhat excessive variable names, and clean things up a little. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
|
#
5b29d6e9 |
|
12-Nov-2001 |
John Baldwin <jhb@FreeBSD.org> |
Clean up breakage in inferior() I introduced in 1.92 of kern_proc.c: - Restore inferior() to being iterative rather than recursive. - Assert that the proctree_lock is held in inferior() and change the one caller to get a shared lock of it. This also ensures that we hold the lock after performing the check so the check can't be made invalid out from under us after the check but before we act on it. Requested by: bde
|
#
db42a33d |
|
02-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce group subset test, which limits the ability of a process to debug another process based on their respective {effective,additional, saved,real} gid's. p1 is only permitted to debug p2 if its effective gids (egid + additional groups) are a strict superset of the gids of p2. This implements properly the security test previously incorrectly implemented in kern_ktrace.c, and is consistent with the kernel security policy (although might be slightly confusing for those more familiar with the userland policy). o Restructure p_candebug() logic so that various results are generated comparing uids, gids, credential changes, and then composed in a single check before testing for privilege. These tests encapsulate the "BSD" inter-process debugging policy. Other non-BSD checks remain seperate. Additional comments are added. Submitted by: tmm, rwatson Obtained from: TrustedBSD Project Reviewed by: petef, tmm, rwatson
|
#
5fab7614 |
|
02-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Add a comment to p_candebug() noting that the P_INEXEC check should really be moved elsewhere: p_candebug() encapsulates the security policy decision, whereas the P_INEXEC check has to do with "correctness" regarding race conditions, rather than security policy. Example: even if no security protections were enforced (the "uids are advisory" model), removing P_INEXEC could result in incorrect operation due to races on credential evaluation and modification during execve(). Obtained from: TrustedBSD Project
|
#
4df571b1 |
|
02-Nov-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Capabilities cap_check() interface revised to remove _xxx, so rename in p_cansched(). Also, replace '0' with 'NULL' for the ucred * pointer. Obtained from: TrustedBSD Project
|
#
9ca45e81 |
|
27-Oct-2001 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Add a P_INEXEC flag that indicates that the process has called execve() and it has not yet returned. Use this flag to deny debugging requests while the process is execve()ing, and close once and for all any race conditions that might occur between execve() and various debugging interfaces. Reviewed by: jhb, rwatson
|
#
d23f5958 |
|
26-Oct-2001 |
Matthew Dillon <dillon@FreeBSD.org> |
Add mtx_lock_giant() and mtx_unlock_giant() wrappers for sysctl management of Giant during the Giant unwinding phase, and start work on instrumenting Giant for the file and proc mutexes. These wrappers allow developers to turn on and off Giant around various subsystems. DEVELOPERS SHOULD NEVER TURN OFF GIANT AROUND A SUBSYSTEM JUST BECAUSE THE SYSCTL EXISTS! General developers should only considering turning on Giant for a subsystem whos default is off (to help track down bugs). Only developers working on particular subsystems who know what they are doing should consider turning off Giant. These wrappers will greatly improve our ability to unwind Giant and test the kernel on a (mostly) subsystem by subsystem basis. They allow Giant unwinding developers (GUDs) to emplace appropriate subsystem and structural mutexes in the main tree and then request that the larger community test the work by turning off Giant around the subsystem(s), without the larger community having to mess around with patches. These wrappers also allow GUDs to boot into a (more likely to be) working system in the midst of their unwinding work and to test that work under more controlled circumstances. There is a master sysctl, kern.giant.all, which defaults to 0 (off). If turned on it overrides *ALL* other kern.giant sysctls and forces Giant to be turned on for all wrapped subsystems. If turned off then Giant around individual subsystems are controlled by various other kern.giant.XXX sysctls. Code which overlaps multiple subsystems must have all related subsystem Giant sysctls turned off in order to run without Giant.
|
#
bd78cece |
|
11-Oct-2001 |
John Baldwin <jhb@FreeBSD.org> |
Change the kernel's ucred API as follows: - crhold() returns a reference to the ucred whose refcount it bumps. - crcopy() now simply copies the credentials from one credential to another and has no return value. - a new crshared() primitive is added which returns true if a ucred's refcount is > 1 and false (0) otherwise.
|
#
698166ca |
|
11-Oct-2001 |
John Baldwin <jhb@FreeBSD.org> |
Whitespace fixes.
|
#
6a90c862 |
|
11-Oct-2001 |
John Baldwin <jhb@FreeBSD.org> |
Rework some code to be a bit simpler by inverting a few tests and using else clauses instead of goto's.
|
#
f21fc127 |
|
10-Oct-2001 |
John Baldwin <jhb@FreeBSD.org> |
Add a temporary hack that will go away with the ucred API update to bzero the duplicated mutex before initializing it to avoid triggering the check for init'ing an already initialized mutex.
|
#
8a7d8cc6 |
|
09-Oct-2001 |
Robert Watson <rwatson@FreeBSD.org> |
- Combine kern.ps_showallprocs and kern.ipc.showallsockets into a single kern.security.seeotheruids_permitted, describes as: "Unprivileged processes may see subjects/objects with different real uid" NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is an API change. kern.ipc.showallsockets does not. - Check kern.security.seeotheruids_permitted in cr_cansee(). - Replace visibility calls to socheckuid() with cr_cansee() (retain the change to socheckuid() in ipfw, where it is used for rule-matching). - Remove prison_unpcb() and make use of cr_cansee() against the UNIX domain socket credential instead of comparing root vnodes for the UDS and the process. This allows multiple jails to share the same chroot() and not see each others UNIX domain sockets. - Remove unused socheckproc(). Now that cr_cansee() is used universally for socket visibility, a variety of policies are more consistently enforced, including uid-based restrictions and jail-based restrictions. This also better-supports the introduction of additional MAC models. Reviewed by: ps, billf Obtained from: TrustedBSD Project
|
#
32d18604 |
|
09-Oct-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Recent addition of (p1==p2) exception in p_candebug() permitted processes to attach debugging to themselves even though the global kern_unprivileged_procdebug_permitted policy might disallow this. o Move the kern_unprivileged_procdebug_permitted check above the (p1==p2) check. Reviewed by: des
|
#
23fad5b6 |
|
07-Oct-2001 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Always succeed if the target process is the same as the requesting process.
|
#
87fce2bb |
|
26-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o When performing a securelevel check as part of securelevel_ge() or securelevel_gt(), determine first if a local securelevel exists -- if so, perform the check based on imax(local, global). Otherwise, simply use the global value. o Note: even though local securelevels might lag below the global one, if the global value is updated to higher than local values, maximum will still be used, making the global dominant even if there is local lag. Obtained from: TrustedBSD Project
|
#
75bc5b3f |
|
25-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o So, when <dd> e-mailed me and said that the comment was inverted for securelevel_ge() and securelevel_gt(), I was a little surprised, but fixed it. Turns out that it was the code that was inverted, during a whitespace cleanup in my commit tree. This commit inverts the checks, and restores the comment.
|
#
94088977 |
|
20-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Rename u_cansee() to cr_cansee(), making the name more comprehensible in the face of a rename of ucred to cred, and possibly generally. Obtained from: TrustedBSD Project
|
#
288b7893 |
|
19-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Clarification of securelevel_{ge,gt} comment. Submitted by: dd
|
#
3ca719f1 |
|
18-Sep-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce two new calls, securelevel_gt() and securelevel_ge(), which abstract the securelevel implementation details from the checking code. The call in -CURRENT accepts a struct ucred--in -STABLE, it will accept struct proc. This facilitates the upcoming commit of per-jail securelevel support. The calls will also generate a kernel printf if the calls are made with NULL ucred/proc pointers: generally speaking, there are few instances of this, and they should be fixed. o Update p_candebug() to use securelevel_gt(); future updates to the remainder of the kernel tree will be committed soon. Obtained from: TrustedBSD Project
|
#
b40ce416 |
|
12-Sep-2001 |
Julian Elischer <julian@FreeBSD.org> |
KSE Milestone 2 Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
|
#
835a82ee |
|
01-Sep-2001 |
Matthew Dillon <dillon@FreeBSD.org> |
Giant Pushdown. Saved the worst P4 tree breakage for last. reboot() getpriority() setpriority() rtprio() osetrlimit() ogetrlimit() setrlimit() getrlimit() getrusage() getpid() getppid() getpgrp() getpgid() getsid() getgid() getegid() getgroups() setsid() setpgid() setuid() seteuid() setgid() setegid() setgroups() setreuid() setregid() setresuid() setresgid() getresuid() getresgid () __setugid() getlogin() setlogin() modnext() modfnext() modstat() modfind() kldload() kldunload() kldfind() kldnext() kldstat() kldfirstmod() kldsym() getdtablesize() dup2() dup() fcntl() close() ofstat() fstat() nfsstat() fpathconf() flock()
|
#
93f4fd1c |
|
31-Aug-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Screw over users of the kern.{security.,}suser_permitted sysctl again, by renaming it to kern.security.suser_enabled. This makes the name consistent with other use: "permitted" now refers to a specific right or privilege, whereas "enabled" refers to a feature. As this hasn't been MFC'd, and using this destroys a running system currently, I believe the user base of the sysctl will not be too unhappy. o While I'm at it, un-staticize and export the supporting variable, as it will be used by kern_cap.c shortly. Obtained from: TrustedBSD Project
|
#
7fd6a959 |
|
28-Aug-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Improve the style of a number of routines and comments in kern_prot.c, with regards to redundancy, formatting, and style(9). Submitted by: bde
|
#
4bcbade8 |
|
27-Aug-2001 |
Robert Watson <rwatson@FreeBSD.org> |
Fix typos in recent comments. Submitted by: dd
|
#
3b243b72 |
|
27-Aug-2001 |
Robert Watson <rwatson@FreeBSD.org> |
Generally improve documentation of kern_prot.c: o Add comments for: - kern.security.suser_permitted - p_cansee() - p_cansignal() - p_cansched() - kern.security.unprivileged_procdebug_permitted - p_candebug() Update copyright. Obtained from: TrustedBSD
|
#
e7f65fdc |
|
31-Jul-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Modify p_candebug() such that there is no longer automatic acceptance of debugging the current process when that is in conflict with other restrictions (such as jail, unprivileged_procdebug_permitted, etc). o This corrects anomolies in the behavior of kern.security.unprivileged_procdebug_permitted when using truss and ktrace. The theory goes that this is now safe to use. Obtained from: TrustedBSD Project
|
#
0ef5652e |
|
31-Jul-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce new kern.security sysctl tree for kernel security policy MIB entries. o Relocate kern.suser_permitted to kern.security.suser_permitted. o Introduce new kern.security.unprivileged_procdebug_permitted, which (when set to 0) prevents processes without privilege from performing a variety of inter-process debugging activities. The default is 1, to provide current behavior. This feature allows "hardened" systems to disable access to debugging facilities, which have been associated with a number of past security vulnerabilities. Previously, while procfs could be unmounted, other in-kernel facilities (such as ptrace()) were still available. This setting should not be modified on normal development systems, as it will result in frustration. Some utilities respond poorly to failing to get the debugging access they require, and error response by these utilities may be improved in the future in the name of beautification. Note that there are currently some odd interactions with some facilities, which will need to be resolved before this should be used in production, including odd interactions with truss and ktrace. Note also that currently, tracing is permitted on the current process regardless of this flag, for compatibility with previous authorization code in various facilities, but that will probably change (and resolve the odd interactions). Obtained from: TrustedBSD Project
|
#
a0f75161 |
|
05-Jul-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Replace calls to p_can(..., P_CAN_xxx) with calls to p_canxxx(). The p_can(...) construct was a premature (and, it turns out, awkward) abstraction. The individual calls to p_canxxx() better reflect differences between the inter-process authorization checks, such as differing checks based on the type of signal. This has a side effect of improving code readability. o Replace direct credential authorization checks in ktrace() with invocation of p_candebug(), while maintaining the special case check of KTR_ROOT. This allows ktrace() to "play more nicely" with new mandatory access control schemes, as well as making its authorization checks consistent with other "debugging class" checks. o Eliminate "privused" construct for p_can*() calls which allowed the caller to determine if privilege was required for successful evaluation of the access control check. This primitive is currently unused, and as such, serves only to complicate the API. Approved by: ({procfs,linprocfs} changes) des Obtained from: TrustedBSD Project
|
#
4589be70 |
|
06-Jun-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
Unbreak setregid(2). Spotted by: Alexander Leidinger <Alexander@Leidinger.net>
|
#
823c224e |
|
27-May-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o uifree() the cr_ruidinfo in crfree() as well as cr_uidinfo now that the real uid info is in the credential also. Submitted by: egge
|
#
b1fc0ec1 |
|
25-May-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Merge contents of struct pcred into struct ucred. Specifically, add the real uid, saved uid, real gid, and saved gid to ucred, as well as the pcred->pc_uidinfo, which was associated with the real uid, only rename it to cr_ruidinfo so as not to conflict with cr_uidinfo, which corresponds to the effective uid. o Remove p_cred from struct proc; add p_ucred to struct proc, replacing original macro that pointed. p->p_ucred to p->p_cred->pc_ucred. o Universally update code so that it makes use of ucred instead of pcred, p->p_ucred instead of p->p_pcred, cr_ruidinfo instead of p_uidinfo, cr_{r,sv}{u,g}id instead of p_*, etc. o Remove pcred0 and its initialization from init_main.c; initialize cr_ruidinfo there. o Restruction many credential modification chunks to always crdup while we figure out locking and optimizations; generally speaking, this means moving to a structure like this: newcred = crdup(oldcred); ... p->p_ucred = newcred; crfree(oldcred); It's not race-free, but better than nothing. There are also races in sys_process.c, all inter-process authorization, fork, exec, and exit. o Remove sigio->sio_ruid since sigio->sio_ucred now contains the ruid; remove comments indicating that the old arrangement was a problem. o Restructure exec1() a little to use newcred/oldcred arrangement, and use improved uid management primitives. o Clean up exit1() so as to do less work in credential cleanup due to pcred removal. o Clean up fork1() so as to do less work in credential cleanup and allocation. o Clean up ktrcanset() to take into account changes, and move to using suser_xxx() instead of performing a direct uid==0 comparision. o Improve commenting in various kern_prot.c credential modification calls to better document current behavior. In a couple of places, current behavior is a little questionable and we need to check POSIX.1 to make sure it's "right". More commenting work still remains to be done. o Update credential management calls, such as crfree(), to take into account new ruidinfo reference. o Modify or add the following uid and gid helper routines: change_euid() change_egid() change_ruid() change_rgid() change_svuid() change_svgid() In each case, the call now acts on a credential not a process, and as such no longer requires more complicated process locking/etc. They now assume the caller will do any necessary allocation of an exclusive credential reference. Each is commented to document its reference requirements. o CANSIGIO() is simplified to require only credentials, not processes and pcreds. o Remove lots of (p_pcred==NULL) checks. o Add an XXX to authorization code in nfs_lock.c, since it's questionable, and needs to be considered carefully. o Simplify posix4 authorization code to require only credentials, not processes and pcreds. Note that this authorization, as well as CANSIGIO(), needs to be updated to use the p_cansignal() and p_cansched() centralized authorization routines, as they currently do not take into account some desirable restrictions that are handled by the centralized routines, as well as being inconsistent with other similar authorization instances. o Update libkvm to take these changes into account. Obtained from: TrustedBSD Project Reviewed by: green, bde, jhb, freebsd-arch, freebsd-audit
|
#
6bd1912d |
|
17-May-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Modify access control checks in p_candebug() such that the policy is as follows: the effective uid of p1 (subject) must equal the real, saved, and effective uids of p2 (object), p2 must not have undergone a credential downgrade. A subject with appropriate privilege may override these protections. In the future, we will extend these checks to require that p1 effective group membership must be a superset of p2 effective group membership. Obtained from: TrustedBSD Project
|
#
fb919e4d |
|
01-May-2001 |
Mark Murray <markm@FreeBSD.org> |
Undo part of the tangle of having sys/lock.h and sys/mutex.h included in other "system" header files. Also help the deprecation of lockmgr.h by making it a sub-include of sys/lock.h and removing sys/lockmgr.h form kernel .c files. Sort sys/*.h includes where possible in affected files. OK'ed by: bde (with reservations)
|
#
80c9c40d |
|
26-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Remove the disabled p_cansched() test cases that permitted users to modify the scheduling properties of processes with a different real uid but the same effective uid (i.e., daemons, et al). (note: these cases were previously commented out, so this does not change the compiled code at al) Obtained from: TrustedBSD Project
|
#
33a9ed9d |
|
23-Apr-2001 |
John Baldwin <jhb@FreeBSD.org> |
Change the pfind() and zpfind() functions to lock the process that they find before releasing the allproc lock and returning. Reviewed by: -smp, dfr, jake
|
#
5ea6583e |
|
21-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Remove comment indicating policy permits loop-back debugging, but semantics don't: in practice, both policy and semantics permit loop-back debugging operations, only it's just a subset of debugging operations (i.e., a proc can open its own /dev/mem), and that's at a higher layer.
|
#
e04670b7 |
|
17-Apr-2001 |
Alfred Perlstein <alfred@FreeBSD.org> |
Add a sanity check on ucred refcount. Submitted by: Terry Lambert <terry@lambert.org>
|
#
e9e7ff5b |
|
13-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Since uid checks in p_cansignal() are now identical between P_SUGID and non-P_SUGID cases, simplify p_cansignal() logic so that the P_SUGID masking of possible signals is independent from uid checks, removing redundant code and generally improving readability. Reviewed by: tmm Obtained from: TrustedBSD Project
|
#
44c3e09c |
|
12-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Disallow two "allow this" exceptions in p_cansignal() restricting the ability of unprivileged processes to deliver arbitrary signals to daemons temporarily taking on unprivileged effective credentials when P_SUGID is not set on the target process: Removed: (p1->p_cred->cr_ruid != ps->p_cred->cr_uid) (p1->p_ucred->cr_uid != ps->p_cred->cr_uid) o Replace two "allow this" exceptions in p_cansignal() restricting the ability of unprivileged processes to deliver arbitrary signals to daemons temporarily taking on unprivileged effective credentials when P_SUGID is set on the target process: Replaced: (p1->p_cred->p_ruid != p2->p_ucred->cr_uid) (p1->p_cred->cr_uid != p2->p_ucred->cr_uid) With: (p1->p_cred->p_ruid != p2->p_ucred->p_svuid) (p1->p_ucred->cr_uid != p2->p_ucred->p_svuid) o These changes have the effect of making the uid-based handling of both P_SUGID and non-P_SUGID signal delivery consistent, following these four general cases: p1's ruid equals p2's ruid p1's euid equals p2's ruid p1's ruid equals p2's svuid p1's euid equals p2's svuid The P_SUGID and non-P_SUGID cases can now be largely collapsed, and I'll commit this in a few days if no immediate problems are encountered with this set of changes. o These changes remove a number of warning cases identified by the proc_to_proc inter-process authorization regression test. o As these are new restrictions, we'll have to watch out carefully for possible side effects on running code: they seem reasonable to me, but it's possible this change might have to be backed out if problems are experienced. Submitted by: src/tools/regression/security/proc_to_proc/testuid Reviewed by: tmm Obtained from: TrustedBSD Project
|
#
04890827 |
|
12-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Disable two "allow this" exceptions in p_cansched()m retricting the ability of unprivileged processes to modify the scheduling properties of daemons temporarily taking on unprivileged effective credentials. These cases (p1->p_cred->p_ruid == p2->p_ucred->cr_uid) and (p1->p_ucred->cr_uid == p2->p_ucred->cr_uid), respectively permitting a subject process to influence the scheduling of a daemon if the subject process has the same real uid or effective uid as the daemon's effective uid. This removes a number of the warning cases identified by the proc_to_proc iner-process authorization regression test. o As these are new restrictions, we'll have to watch out carefully for possible side effects on running code: they seem reasonable to me, but it's possible this change might have to be backed out if problems are experienced. Reported by: src/tools/regression/security/proc_to_proc/testuid Obtained from: TrustedBSD Project
|
#
eb9e5c1d |
|
12-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Reduce information leakage into jails by adding invocations of p_can(...P_CAN_SEE...) to getpgid(), getsid(), and setpgid(), blocking these operations on processes that should not be visible by the requesting process. Required to reduce information leakage in MAC environments. Obtained from: TrustedBSD Project
|
#
4c5eb9c3 |
|
11-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Replace p_cankill() with p_cansignal(), remove wrappage of p_can() from signal authorization checking. o p_cansignal() takes three arguments: subject process, object process, and signal number, unlike p_cankill(), which only took into account the processes and not the signal number, improving the abstraction such that CANSIGNAL() from kern_sig.c can now also be eliminated; previously CANSIGNAL() special-cased the handling of SIGCONT based on process session. privused is now deprecated. o The new p_cansignal() further limits the set of signals that may be delivered to processes with P_SUGID set, and restructures the access control check to allow it to be extended more easily. o These changes take into account work done by the OpenBSD Project, as well as by Robert Watson and Thomas Moestl on the TrustedBSD Project. Obtained from: TrustedBSD Project
|
#
130d0157 |
|
11-Apr-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce a new system call, __setsugid(), which allows a process to toggle the P_SUGID bit explicitly, rather than relying on it being set implicitly by other protection and credential logic. This feature is introduced to support inter-process authorization regression testing by simplifying userland credential management allowing the easy isolation and reproduction of authorization events with specific security contexts. This feature is enabled only by "options REGRESSION" and is not intended to be used by applications. While the feature is not known to introduce security vulnerabilities, it does allow processes to enter previously inaccessible parts of the credential state machine, and is therefore disabled by default. It may not constitute a risk, and therefore in the future pending further analysis (and appropriate need) may become a published interface. Obtained from: TrustedBSD Project
|
#
f8e6ab29 |
|
29-Mar-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Restructure privilege check associated with process visibility for ps_showallprocs such that if superuser is present to override process hiding, the search falls through [to success]. When additional restrictions are placed on process visibility, such as MAC, new clauses will be placed above the return(0). Obtained from: TrustedBSD Project
|
#
ed639720 |
|
28-Mar-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o introduce u_cansee(), which performs access control checks between two subject ucreds. Unlike p_cansee(), u_cansee() doesn't have process lock requirements, only valid ucred reference requirements, so is prefered as process locking improves. For now, back p_cansee() into u_cansee(), but eventually p_cansee() will go away. Reviewed by: jhb, tmm Obtained from: TrustedBSD Project
|
#
bae3a80b |
|
23-Mar-2001 |
John Baldwin <jhb@FreeBSD.org> |
Just use the proc lock to protect read accesses to p_pptr rather than the more expensive proctree lock.
|
#
91421ba2 |
|
20-Feb-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Move per-process jail pointer (p->pr_prison) to inside of the subject credential structure, ucred (cr->cr_prison). o Allow jail inheritence to be a function of credential inheritence. o Abstract prison structure reference counting behind pr_hold() and pr_free(), invoked by the similarly named credential reference management functions, removing this code from per-ABI fork/exit code. o Modify various jail() functions to use struct ucred arguments instead of struct proc arguments. o Introduce jailed() function to determine if a credential is jailed, rather than directly checking pointers all over the place. o Convert PRISON_CHECK() macro to prison_check() function. o Move jail() function prototypes to jail.h. o Emulate the P_JAILED flag in fill_kinfo_proc() and no longer set the flag in the process flags field itself. o Eliminate that "const" qualifier from suser/p_can/etc to reflect mutex use. Notes: o Some further cleanup of the linux/jail code is still required. o It's now possible to consider resolving some of the process vs credential based permission checking confusion in the socket code. o Mutex protection of struct prison is still not present, and is required to protect the reference count plus some fields in the structure. Reviewed by: freebsd-arch Obtained from: TrustedBSD Project
|
#
661702ab |
|
13-Feb-2001 |
Robert Watson <rwatson@FreeBSD.org> |
o Fix spellign in a comment: s/referernce/reference/
|
#
9ed346ba |
|
08-Feb-2001 |
Bosko Milekic <bmilekic@FreeBSD.org> |
Change and clean the mutex lock interface. mtx_enter(lock, type) becomes: mtx_lock(lock) for sleep locks (MTX_DEF-initialized locks) mtx_lock_spin(lock) for spin locks (MTX_SPIN-initialized) similarily, for releasing a lock, we now have: mtx_unlock(lock) for MTX_DEF and mtx_unlock_spin(lock) for MTX_SPIN. We change the caller interface for the two different types of locks because the semantics are entirely different for each case, and this makes it explicitly clear and, at the same time, it rids us of the extra `type' argument. The enter->lock and exit->unlock change has been made with the idea that we're "locking data" and not "entering locked code" in mind. Further, remove all additional "flags" previously passed to the lock acquire/release routines with the exception of two: MTX_QUIET and MTX_NOSWITCH The functionality of these flags is preserved and they can be passed to the lock/unlock routines by calling the corresponding wrappers: mtx_{lock, unlock}_flags(lock, flag(s)) and mtx_{lock, unlock}_spin_flags(lock, flag(s)) for MTX_DEF and MTX_SPIN locks, respectively. Re-inline some lock acq/rel code; in the sleep lock case, we only inline the _obtain_lock()s in order to ensure that the inlined code fits into a cache line. In the spin lock case, we inline recursion and actually only perform a function call if we need to spin. This change has been made with the idea that we generally tend to avoid spin locks and that also the spin locks that we do have and are heavily used (i.e. sched_lock) do recurse, and therefore in an effort to reduce function call overhead for some architectures (such as alpha), we inline recursion for this case. Create a new malloc type for the witness code and retire from using the M_DEV type. The new type is called M_WITNESS and is only declared if WITNESS is enabled. Begin cleaning up some machdep/mutex.h code - specifically updated the "optimized" inlined code in alpha/mutex.h and wrote MTX_LOCK_SPIN and MTX_UNLOCK_SPIN asm macros for the i386/mutex.h as we presently need those. Finally, caught up to the interface changes in all sys code. Contributors: jake, jhb, jasone (in no particular order)
|
#
2fa72ea7 |
|
05-Feb-2001 |
Jeroen Ruigrok van der Werven <asmodai@FreeBSD.org> |
Fix typo: compatability -> compatibility. Compatability is not an existing english word.
|
#
4c061a9d |
|
13-Jan-2001 |
Ben Smithurst <ben@FreeBSD.org> |
Fix getsid() to use "=" instead of "==". Not objected to by: audit
|
#
98f03f90 |
|
23-Dec-2000 |
Jake Burkholder <jake@FreeBSD.org> |
Protect proc.p_pptr and proc.p_children/p_sibling with the proctree_lock. linprocfs not locked pending response from informal maintainer. Reviewed by: jhb, -smp@
|
#
5c3f70d7 |
|
30-Nov-2000 |
Alfred Perlstein <alfred@FreeBSD.org> |
make crfree into a function rather than a macro to avoid bloat because of the mutex aquire/release reorder struct ucred
|
#
1e5d626a |
|
26-Nov-2000 |
Alfred Perlstein <alfred@FreeBSD.org> |
ucred system overhaul: 1) mpsafe (protect the refcount with a mutex). 2) reduce duplicated code by removing the inlined crdup() from crcopy() and make crcopy() call crdup(). 3) use M_ZERO flag when allocating initial structs instead of calling bzero after allocation. 4) expand the size of the refcount from a u_short to an u_int, by using shorts we might have an overflow. Glanced at by: jake
|
#
7f73938e |
|
10-Nov-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Fix a mis-transcription of sef's -STABLE protection fixes--only root could debug processes after the commit that introduced the typo. Security is good, but security is not always the same as turning things off :-). PR: kern/22711 Obtained from: brooks@one-eyed-alien.net
|
#
c087a04f |
|
30-Oct-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Tighten up rules for which processes can't debug which other processes in the p_candebug() function. Synchronize with sef's CHECKIO() macro from the old procfs, which seems to be a good source of security checks. Obtained from: TrustedBSD Project
|
#
19c34d15 |
|
28-Oct-2000 |
Don Lewis <truckman@FreeBSD.org> |
Nuke a bit of dead code.
|
#
810bfc8e |
|
26-Oct-2000 |
Andrew Gallatin <gallatin@FreeBSD.org> |
unstaticize change_ruid() because it is needed by osf1_setuid()
|
#
f535380c |
|
05-Sep-2000 |
Don Lewis <truckman@FreeBSD.org> |
Remove uidinfo hash table lookup and maintenance out of chgproccnt() and chgsbsize(), which are called rather frequently and may be called from an interrupt context in the case of chgsbsize(). Instead, do the hash table lookup and maintenance when credentials are changed, which is a lot less frequent. Add pointers to the uidinfo structures to the ucred and pcred structures for fast access. Pass a pointer to the credential to chgproccnt() and chgsbsize() instead of passing the uid. Add a reference count to the uidinfo structure and use it to decide when to free the structure rather than freeing the structure when the resource consumption drops to zero. Move the resource tracking code from kern_proc.c to kern_resource.c. Move some duplicate code sequences in kern_prot.c to separate helper functions. Change KASSERTs in this code to unconditional tests and calls to panic().
|
#
c52396e3 |
|
31-Aug-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o p_cansee() wasn't setting privused when suser() was required to override kern.ps_showallprocs. Apparently got lost in the merge process from the capability patches. Now fixed. Submitted by: jdp Obtained from: TrustedBSD Project
|
#
387d2c03 |
|
29-Aug-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Centralize inter-process access control, introducing: int p_can(p1, p2, operation, privused) which allows specification of subject process, object process, inter-process operation, and an optional call-by-reference privused flag, allowing the caller to determine if privilege was required for the call to succeed. This allows jail, kern.ps_showallprocs and regular credential-based interaction checks to occur in one block of code. Possible operations are P_CAN_SEE, P_CAN_SCHED, P_CAN_KILL, and P_CAN_DEBUG. p_can currently breaks out as a wrapper to a series of static function checks in kern_prot, which should not be invoked directly. o Commented out capabilities entries are included for some checks. o Update most inter-process authorization to make use of p_can() instead of manual checks, PRISON_CHECK(), P_TRESPASS(), and kern.ps_showallprocs. o Modify suser{,_xxx} to use const arguments, as it no longer modifies process flags due to the disabling of ASU. o Modify some checks/errors in procfs so that ENOENT is returned instead of ESRCH, further improving concealment of processes that should not be visible to other processes. Also introduce new access checks to improve hiding of processes for procfs_lookup(), procfs_getattr(), procfs_readdir(). Correct a bug reported by bp concerning not handling the CREATE case in procfs_lookup(). Remove volatile flag in procfs that caused apparently spurious qualifier warnigns (approved by bde). o Add comment noting that ktrace() has not been updated, as its access control checks are different from ptrace(), whereas they should probably be the same. Further discussion should happen on this topic. Reviewed by: bde, green, phk, freebsd-security, others Approved by: bde Obtained from: TrustedBSD Project
|
#
c6fac29a |
|
29-Aug-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Disable flagging of ASU in suser_xxx() authorization check. For the time being, the ASU accounting flag will no longer be available, but may be reinstituted in the future once authorization have been redone. As it is, the kernel went through contortions in access control to avoid calling suser, which always set the flag. This will also allow suser to accept const struct *{cred, proc} arguments. Reviewed by: bde, green, phk, freebsd-security, others Approved by: bde Obtained from: TrustedBSD Project
|
#
c6362551 |
|
22-Jun-2000 |
Alfred Perlstein <alfred@FreeBSD.org> |
fix races in the uidinfo subsystem, several problems existed: 1) while allocating a uidinfo struct malloc is called with M_WAITOK, it's possible that while asleep another process by the same user could have woken up earlier and inserted an entry into the uid hash table. Having redundant entries causes inconsistancies that we can't handle. fix: do a non-waiting malloc, and if that fails then do a blocking malloc, after waking up check that no one else has inserted an entry for us already. 2) Because many checks for sbsize were done as "test then set" in a non atomic manner it was possible to exceed the limits put up via races. fix: instead of querying the count then setting, we just attempt to set the count and leave it up to the function to return success or failure. 3) The uidinfo code was inlining and repeating, lookups and insertions and deletions needed to be in their own functions for clarity. Reviewed by: green
|
#
579f4eb4 |
|
05-Jun-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o bde suggested moving the SYSCTL from kern_mib to the more appropriate kern_prot, which cleans up some namespace issues o Don't need a special handler to limit un-setting, as suser is used to protect suser_permitted, making it one-way by definition. Suggested by: bde
|
#
03095547 |
|
05-Jun-2000 |
Robert Watson <rwatson@FreeBSD.org> |
o Introduce kern.suser_permitted, a sysctl that disables the suser_xxx() returning anything but EPERM. o suser is enabled by default; once disabled, cannot be reenabled o To be used in alternative security models where uid0 does not connote additional privileges o Should be noted that uid0 still has some additional powers as it owns many important files and executables, so suffers from the same fundamental security flaws as securelevels. This is fixed with MAC integrity protection code (in progress) o Not safe for consumption unless you are *really* sure you don't want things like shutdown to work, et al :-) Obtained from: TrustedBSD Project
|
#
0e59fec6 |
|
08-May-2000 |
Peter Wemm <peter@FreeBSD.org> |
Make issetugid return correctly. It was returning -1 with errno == 1 if it was set?id! Submitted by: Valentin Nechayev <netch@segfault.kiev.ua>
|
#
7c8fdcbd |
|
02-Apr-2000 |
Matthew Dillon <dillon@FreeBSD.org> |
Make the sigprocmask() and geteuid() system calls MP SAFE. Expand commentary for copyin/copyout to indicate that they are MP SAFE as well. Reviewed by: msmith
|
#
36e9f877 |
|
28-Mar-2000 |
Matthew Dillon <dillon@FreeBSD.org> |
Commit major SMP cleanups and move the BGL (big giant lock) in the syscall path inward. A system call may select whether it needs the MP lock or not (the default being that it does need it). A great deal of conditional SMP code for various deadended experiments has been removed. 'cil' and 'cml' have been removed entirely, and the locking around the cpl has been removed. The conditional separately-locked fast-interrupt code has been removed, meaning that interrupts must hold the CPL now (but they pretty much had to anyway). Another reason for doing this is that the original separate-lock for interrupts just doesn't apply to the interrupt thread mechanism being contemplated. Modifications to the cpl may now ONLY occur while holding the MP lock. For example, if an otherwise MP safe syscall needs to mess with the cpl, it must hold the MP lock for the duration and must (as usual) save/restore the cpl in a nested fashion. This is precursor work for the real meat coming later: avoiding having to hold the MP lock for common syscalls and I/O's and interrupt threads. It is expected that the spl mechanisms and new interrupt threading mechanisms will be able to run in tandem, allowing a slow piecemeal transition to occur. This patch should result in a moderate performance improvement due to the considerable amount of code that has been removed from the critical path, especially the simplification of the spl*() calls. The real performance gains will come later. Approved by: jkh Reviewed by: current, bde (exception.s) Some work taken from: luoqi's patch
|
#
8ccd6334 |
|
16-Jan-2000 |
Peter Wemm <peter@FreeBSD.org> |
Implement setres[ug]id() and getres[ug]id(). This has been sitting in my tree for ages (~2 years) waiting for an excuse to commit it. Now Linux has implemented it and it seems that Staroffice (when using the linux_base6.1 port's libc) calls this in the linux emulator and dies in setup. The Linux emulator can call these now.
|
#
89361835 |
|
09-Jan-2000 |
Sean Eric Fagan <sef@FreeBSD.org> |
Handle the case where we truss an SUGID program -- in particular, we need to wake up any processes waiting via PIOCWAIT on process exit, and truss needs to be more aware that a process may actually disappear while it's waiting. Reviewed by: Paul Saab <ps@yahoo-inc.com>
|
#
b9effc89 |
|
03-Jan-2000 |
Poul-Henning Kamp <phk@FreeBSD.org> |
truss /usr/bin/su login (or not if root) then exit the shell truss will get stuct in tsleep I dont know if this is correct, but it fixes the problem and according to the commends in pioctl.h, PF_ISUGID is set when we want to ignore UID changes. The code is checking for when PF_ISUGID is not set and since it never is set, we always ignore UID changes. Submitted by: Paul Saab <ps@yahoo-inc.com>
|
#
a9e0361b |
|
21-Nov-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Introduce the new function p_trespass(struct proc *p1, struct proc *p2) which returns zero or an errno depending on the legality of p1 trespassing on p2. Replace kern_sig.c:CANSIGNAL() with call to p_trespass() and one extra signal related check. Replace procfs.h:CHECKIO() macros with calls to p_trespass(). Only show command lines to process which can trespass on the target process.
|
#
d1f088da |
|
11-Oct-1999 |
Peter Wemm <peter@FreeBSD.org> |
Trim unused options (or #ifdef for undoc options). Submitted by: phk
|
#
c3aac50f |
|
27-Aug-1999 |
Peter Wemm <peter@FreeBSD.org> |
$Id$ -> $FreeBSD$
|
#
75c13541 |
|
28-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
This Implements the mumbled about "Jail" feature. This is a seriously beefed up chroot kind of thing. The process is jailed along the same lines as a chroot does it, but with additional tough restrictions imposed on what the superuser can do. For all I know, it is safe to hand over the root bit inside a prison to the customer living in that prison, this is what it was developed for in fact: "real virtual servers". Each prison has an ip number associated with it, which all IP communications will be coerced to use and each prison has its own hostname. Needless to say, you need more RAM this way, but the advantage is that each customer can run their own particular version of apache and not stomp on the toes of their neighbors. It generally does what one would expect, but setting up a jail still takes a little knowledge. A few notes: I have no scripts for setting up a jail, don't ask me for them. The IP number should be an alias on one of the interfaces. mount a /proc in each jail, it will make ps more useable. /proc/<pid>/status tells the hostname of the prison for jailed processes. Quotas are only sensible if you have a mountpoint per prison. There are no privisions for stopping resource-hogging. Some "#ifdef INET" and similar may be missing (send patches!) If somebody wants to take it from here and develop it into more of a "virtual machine" they should be most welcome! Tools, comments, patches & documentation most welcome. Have fun... Sponsored by: http://www.rndassociates.com/ Run for almost a year by: http://www.servetheweb.com/
|
#
1c308b81 |
|
26-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Change suser_xxx() to suser() where it applies.
|
#
f711d546 |
|
27-Apr-1999 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Suser() simplification: 1: s/suser/suser_xxx/ 2: Add new function: suser(struct proc *), prototyped in <sys/proc.h>. 3: s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/ The remaining suser_xxx() calls will be scrutinized and dealt with later. There may be some unneeded #include <sys/cred.h>, but they are left as an exercise for Bruce. More changes to the suser() API will come along with the "jail" code.
|
#
8aef1712 |
|
27-Jan-1999 |
Matthew Dillon <dillon@FreeBSD.org> |
Fix warnings in preparation for adding -Wall -Wcast-qual to the kernel compile
|
#
65de0c7a |
|
13-Dec-1998 |
Don Lewis <truckman@FreeBSD.org> |
getpgid() and getsid() were doing a comparision rather than an assignment, which is fortunate, because otherwise another bug would allow them to be used to stomp on the syscall return value of another process.
|
#
1c5bb3ea |
|
10-Nov-1998 |
Peter Wemm <peter@FreeBSD.org> |
add #include <sys/kernel.h> where it's needed by MALLOC_DEFINE()
|
#
643a8daa |
|
09-Nov-1998 |
Don Lewis <truckman@FreeBSD.org> |
If the session leader dies, s_leader is set to NULL and getsid() may dereference a NULL pointer, causing a panic. Instead of following s_leader to find the session id, store it in the session structure. Jukka found the following info: BTW - I just found what I have been looking for. Std 1003.1 Part 1: SYSTEM API [C LANGUAGE] section 2.2.2.80 states quite explicitly... Session lifetime: The period between when a session is created and the end of lifetime of all the process groups that remain as members of the session. So, this quite clearly tells that while there is any single process in any process group which is a member of the session, the session remains as an independent entity. Reviewed by: peter Submitted by: "Jukka A. Ukkonen" <jau@jau.tmt.tele.fi>
|
#
10d4743f |
|
10-Jun-1998 |
Doug Rabson <dfr@FreeBSD.org> |
64bit fixes: use size_t not u_int for sizes.
|
#
d5f81602 |
|
19-Dec-1997 |
Sean Eric Fagan <sef@FreeBSD.org> |
Clear the p_stops field on change of user/group id, unless the correct flag is set in the p_pfsflags field. This, essentially, prevents an SUID proram from hanging after being traced. (E.g., "truss /usr/bin/rlogin" would fail, but leave rlogin in a stopevent state.) Yet another case where procctl is (hopefully ;)) no longer needed in the general case. Reviewed by: bde (thanks bruce :))
|
#
5591b823d |
|
16-Dec-1997 |
Eivind Eklund <eivind@FreeBSD.org> |
Make COMPAT_43 and COMPAT_SUNOS new-style options.
|
#
cb226aaa |
|
06-Nov-1997 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Move the "retval" (3rd) parameter from all syscall functions and put it in struct proc instead. This fixes a boatload of compiler warning, and removes a lot of cruft from the sources. I have not removed the /*ARGSUSED*/, they will require some looking at. libkvm, ps and other userland struct proc frobbing programs will need recompiled.
|
#
7aef0500 |
|
17-Oct-1997 |
David Greenman <dg@FreeBSD.org> |
Killed non-sensical call to splimp/splx in crfree().
|
#
a1c995b6 |
|
12-Oct-1997 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Last major round (Unless Bruce thinks of somthing :-) of malloc changes. Distribute all but the most fundamental malloc types. This time I also remembered the trick to making things static: Put "static" in front of them. A couple of finer points by: bde
|
#
1a5018a0 |
|
19-Aug-1997 |
Peter Wemm <peter@FreeBSD.org> |
Implement XPG/SYSV-style getpgid()/getsid() syscalls. getpgid() uses the same syscall number as NetBSD/OpenBSD. The getpgid() came from NetBSD (I think) originally, but it's basically cut/paste/edit from the other simple get*() syscalls.
|
#
1fd0b058 |
|
02-Aug-1997 |
Bruce Evans <bde@FreeBSD.org> |
Removed unused #includes.
|
#
b79c6a86 |
|
02-Apr-1997 |
Peter Wemm <peter@FreeBSD.org> |
Don't incorrectly set P_SUGID in setre[ug]id() for no reason, as noticed by bde. Don't return EPERM in setre[ug]id() just because the caller passes in the current effective id in the second arg (ie: no change), as suggested by ache.
|
#
b67cbc65 |
|
31-Mar-1997 |
Peter Wemm <peter@FreeBSD.org> |
Implement code for an OpenBSD-style issetuigid(). This is valueable for library code which needs to be able to find out whether the current process is or *was* set[ug]id at some point in the past, and may have a "tainted" execution environment. This is especially a problem with the trend to immediately revoke privs at startup and regain them for critical sections. One problem with this is that if a cracker is able to compromise the program while it's still got a saved id, the cracker can direct the program to regain the privs. Another problem is that the user may be able to affect the program in some other way (eg: setting resolver host aliases) and the library code needs to know when it should disable these sorts of features. Reviewed by: ache Inspired by: OpenBSD (but with a different implementation)
|
#
a89a5370 |
|
31-Mar-1997 |
Peter Wemm <peter@FreeBSD.org> |
Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed. (for supporting issetugid()) Reviewed by: ache (as was the previous commit, rev 1.29)
|
#
229a15f0 |
|
31-Mar-1997 |
Peter Wemm <peter@FreeBSD.org> |
Do not set the P_SUGID flag in seteuid()/setegid() if nothing has changed. (for supporting issetugid())
|
#
a08f4bf6 |
|
31-Mar-1997 |
Peter Wemm <peter@FreeBSD.org> |
Fully implement the clause in Appendix B.4.2.2 from Posix 1003.1 that allows traditional BSD setuid/setgid behavior. The only visible difference should be that a non-root setuid program (eg: inn's "rnews" program) that is setuid to news, can completely "become" uid news. (ie: setuid(geteuid()) This was allowed in traditional 4.2/4.3BSD and is now "blessed" by Posix as a special case of "appropriate privilige". Also, be much more careful with the P_SUGID flag so that we can use it for issetugid() - only set it if something changed. Reviewed by: ache
|
#
8a5d815a |
|
31-Mar-1997 |
Peter Wemm <peter@FreeBSD.org> |
Make setgroups(0, xxx) behave as it does on SYSV, namely clear the groups vector except for the egid in groups[0]. There is a risk that programs that come from SYSV/Linux that expect this to work and don't check for error returns may accidently pass root's groups on to child processes. We now do what is least suprising (to non BSD programs/programmers) in this scenario, and nothing is changed for programs written with BSD groups rules in mind. Reviewed by: ache
|
#
53490b76 |
|
03-Mar-1997 |
Andrey A. Chernov <ache@FreeBSD.org> |
Oops, fix typo.
|
#
30cf3ac4 |
|
03-Mar-1997 |
Andrey A. Chernov <ache@FreeBSD.org> |
Don't copy more than MAXLOGNAME bytes in getlogin() syscall, it is stricter than padded s_login size check was there.
|
#
964ca0ca |
|
03-Mar-1997 |
Andrey A. Chernov <ache@FreeBSD.org> |
Use MAXLOGNAME for stricter size check in setlogin() syscall instead of sizeof of padded s_login array
|
#
6875d254 |
|
22-Feb-1997 |
Peter Wemm <peter@FreeBSD.org> |
Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are not ready for it yet.
|
#
184989c2 |
|
09-Feb-1997 |
David Nugent <davidn@FreeBSD.org> |
Fix off by one error in setlogin() syscall. Don't overwrite session login unless the call is going to succeed.
|
#
1130b656 |
|
14-Jan-1997 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
Make the long-awaited change from $Id$ to $FreeBSD$ This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
|
#
78f64bcc |
|
19-Dec-1996 |
Bruce Evans <bde@FreeBSD.org> |
Fixed setpgid(). Negative pgids were accepted. Found by: NIST-PCTS
|
#
c957118e |
|
02-Sep-1996 |
Bruce Evans <bde@FreeBSD.org> |
Added #include of <unistd.h> so that there is some chance that _POSIX_SAVED_IDS is defined. This feature was broken for a day or two.
|
#
3f246666 |
|
01-Sep-1996 |
Andrey A. Chernov <ache@FreeBSD.org> |
Conditionalize POSIX saved ids code on _POSIX_SAVED_IDS define
|
#
cd73303c |
|
29-May-1996 |
David Greenman <dg@FreeBSD.org> |
Fix a panic caused by (proc)->p_session being dereferenced for a process that was exiting.
|
#
edbfedac |
|
11-Mar-1996 |
Peter Wemm <peter@FreeBSD.org> |
Import 4.4BSD-Lite2 onto the vendor branch, note that in the kernel, all files are off the vendor branch, so this should not change anything. A "U" marker generally means that the file was not changed in between the 4.4Lite and Lite-2 releases, and does not need a merge. "C" generally means that there was a change. [note new unused (in this form) syscalls.conf, to be 'cvs rm'ed]
|
#
d2d3e875 |
|
11-Nov-1995 |
Bruce Evans <bde@FreeBSD.org> |
Included <sys/sysproto.h> to get central declarations for syscall args structs and prototypes for syscalls. Ifdefed duplicated decentralized declarations of args structs. It's convenient to have this visible but they are hard to maintain. Some are already different from the central declarations. 4.4lite2 puts them in comments in the function headers but I wanted to avoid the large changes for that.
|
#
82970b81 |
|
10-Nov-1995 |
Bruce Evans <bde@FreeBSD.org> |
Fixed type of setsid(). It used used the bogus `getsid_args'.
|
#
3956a170 |
|
04-Nov-1995 |
David Greenman <dg@FreeBSD.org> |
Return EINVAL if the number of groups is less than 1 in setgroups(). Obtained from: 4.4BSD-Lite2
|
#
ad7507e2 |
|
07-Oct-1995 |
Steven Wallace <swallace@FreeBSD.org> |
Remove prototype definitions from <sys/systm.h>. Prototypes are located in <sys/sysproto.h>. Add appropriate #include <sys/sysproto.h> to files that needed protos from systm.h. Add structure definitions to appropriate files that relied on sys/systm.h, right before system call definition, as in the rest of the kernel source. In kern_prot.c, instead of using the dummy structure "args", create individual dummy structures named <syscall>_args. This makes life easier for prototype generation.
|
#
00999cd6 |
|
15-Jun-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
Optimized and simplified version of setreuid/gid Fixed: lack of crcopy in certain conditions, lack of setting sv[ug]id in certain conditions. Fixes non-critical.
|
#
2c3be6c3 |
|
29-Apr-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
set[ug]id(): call suser() only when neccesarry Submitted by: bde
|
#
d3cdb93d |
|
28-Apr-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
Implement POSIX SAVED_IDS for setuid/setgid
|
#
611d721e |
|
28-Apr-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
setre*(): simplify return scheme, pointed by Bruce
|
#
4bc8f31f |
|
27-Apr-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
Implement setreuid/setregid according to SunOS manpage
|
#
e876c909 |
|
22-Apr-1995 |
Andrey A. Chernov <ache@FreeBSD.org> |
Make setreuid/setregid active syscalls
|
#
453de7da |
|
23-Apr-1995 |
Bruce Evans <bde@FreeBSD.org> |
Correct the type of the `acflag' arg to suser().
|
#
6fc4a1ae |
|
13-Oct-1994 |
Søren Schmidt <sos@FreeBSD.org> |
Added ifdef COMPAT_IBCS2 around setre[ug]id.
|
#
bb56ec4a |
|
25-Sep-1994 |
Poul-Henning Kamp <phk@FreeBSD.org> |
While in the real world, I had a bad case of being swapped out for a lot of cycles. While waiting there I added a lot of the extra ()'s I have, (I have never used LISP to any extent). So I compiled the kernel with -Wall and shut up a lot of "suggest you add ()'s", removed a bunch of unused var's and added a couple of declarations here and there. Having a lap-top is highly recommended. My kernel still runs, yell at me if you kernel breaks.
|
#
3c4dd356 |
|
02-Aug-1994 |
David Greenman <dg@FreeBSD.org> |
Added $Id$
|
#
26f9a767 |
|
25-May-1994 |
Rodney W. Grimes <rgrimes@FreeBSD.org> |
The big 4.4BSD Lite to FreeBSD 2.0.0 (Development) patch. Reviewed by: Rodney W. Grimes Submitted by: John Dyson and David Greenman
|
#
df8bae1d |
|
24-May-1994 |
Rodney W. Grimes <rgrimes@FreeBSD.org> |
BSD 4.4 Lite Kernel Sources
|