diff options
| author | rwatson <rwatson@FreeBSD.org> | 2009-02-26 10:56:13 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2009-02-26 10:56:13 +0000 |
| commit | bf80a0a3785a14201f6cd25f2dd1a354fdaeda60 (patch) | |
| tree | 8a1ee9af9cd172a1ba3ab15789a29b9f8b94d4b6 /sys/kern/kern_priv.c | |
| parent | 226255f0b621bcdafe52740c904b4ff8eb60756d (diff) | |
| download | FreeBSD-src-bf80a0a3785a14201f6cd25f2dd1a354fdaeda60.zip FreeBSD-src-bf80a0a3785a14201f6cd25f2dd1a354fdaeda60.tar.gz | |
Add static tracing for privilege checking:
priv:kernel:priv_check:priv_ok fires for granted privileges
priv:kernel:priv_check:priv_errr fires for denied privileges
The first argument is the requested privilege number. The naming
convention is a little different from the OpenSolaris equivilent
because we can't have '-' in probefunc names, and our privilege
namespace is different.
MFC after: 1 week
Diffstat (limited to 'sys/kern/kern_priv.c')
| -rw-r--r-- | sys/kern/kern_priv.c | 49 |
1 files changed, 40 insertions, 9 deletions
diff --git a/sys/kern/kern_priv.c b/sys/kern/kern_priv.c index 100f6d4..beee245 100644 --- a/sys/kern/kern_priv.c +++ b/sys/kern/kern_priv.c @@ -1,5 +1,6 @@ /*- * Copyright (c) 2006 nCircle Network Security, Inc. + * Copyright (c) 2009 Robert N. M. Watson * All rights reserved. * * This software was developed by Robert N. M. Watson for the TrustedBSD @@ -27,6 +28,7 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#include "opt_kdtrace.h" #include "opt_mac.h" #include <sys/cdefs.h> @@ -37,6 +39,7 @@ __FBSDID("$FreeBSD$"); #include <sys/kernel.h> #include <sys/priv.h> #include <sys/proc.h> +#include <sys/sdt.h> #include <sys/sysctl.h> #include <sys/systm.h> @@ -57,6 +60,14 @@ SYSCTL_INT(_security_bsd, OID_AUTO, suser_enabled, CTLFLAG_RW, &suser_enabled, 0, "processes with uid 0 have privilege"); TUNABLE_INT("security.bsd.suser_enabled", &suser_enabled); +SDT_PROVIDER_DEFINE(priv); + +SDT_PROBE_DEFINE(priv, kernel, priv_check, priv_ok); +SDT_PROBE_ARGTYPE(priv, kernel, priv_check, priv_ok, 0, "int"); + +SDT_PROBE_DEFINE(priv, kernel, priv_check, priv_err); +SDT_PROBE_ARGTYPE(priv, kernel, priv_check, priv_err, 0, "int"); + /* * Check a credential for privilege. Lots of good reasons to deny privilege; * only a few to grant it. @@ -76,7 +87,7 @@ priv_check_cred(struct ucred *cred, int priv, int flags) #ifdef MAC error = mac_priv_check(cred, priv); if (error) - return (error); + goto out; #endif /* @@ -85,7 +96,7 @@ priv_check_cred(struct ucred *cred, int priv, int flags) */ error = prison_priv_check(cred, priv); if (error) - return (error); + goto out; /* * Having determined if privilege is restricted by various policies, @@ -103,13 +114,17 @@ priv_check_cred(struct ucred *cred, int priv, int flags) case PRIV_MAXFILES: case PRIV_MAXPROC: case PRIV_PROC_LIMIT: - if (cred->cr_ruid == 0) - return (0); + if (cred->cr_ruid == 0) { + error = 0; + goto out; + } break; default: - if (cred->cr_uid == 0) - return (0); + if (cred->cr_uid == 0) { + error = 0; + goto out; + } break; } } @@ -119,10 +134,26 @@ priv_check_cred(struct ucred *cred, int priv, int flags) * privilege. */ #ifdef MAC - if (mac_priv_grant(cred, priv) == 0) - return (0); + if (mac_priv_grant(cred, priv) == 0) { + error = 0; + goto out; + } #endif - return (EPERM); + + /* + * The default is deny, so if no policies have granted it, reject + * with a privilege error here. + */ + error = EPERM; +out: + if (error) { + SDT_PROBE(priv, kernel, priv_check, priv_err, priv, 0, 0, 0, + 0); + } else { + SDT_PROBE(priv, kernel, priv_check, priv_ok, priv, 0, 0, 0, + 0); + } + return (error); } int |
