When devfs cloning takes place, provide access to the credential of the

process that caused the clone event to take place for the device driver
creating the device.  This allows cloned device drivers to adapt the
device node based on security aspects of the process, such as the uid,
gid, and MAC label.

- Add a cred reference to struct cdev, so that when a device node is
  instantiated as a vnode, the cloning credential can be exposed to
  MAC.

- Add make_dev_cred(), a version of make_dev() that additionally
  accepts the credential to stick in the struct cdev.  Implement it and
  make_dev() in terms of a back-end make_dev_credv().

- Add a new event handler, dev_clone_cred, which can be registered to
  receive the credential instead of dev_clone, if desired.

- Modify the MAC entry point mac_create_devfs_device() to accept an
  optional credential pointer (may be NULL), so that MAC policies can
  inspect and act on the label or other elements of the credential
  when initializing the skeleton device protections.

- Modify tty_pty.c to register clone_dev_cred and invoke make_dev_cred(),
  so that the pty clone credential is exposed to the MAC Framework.

While currently primarily focussed on MAC policies, this change is also
a prerequisite for changes to allow ptys to be instantiated with the UID
of the process looking up the pty.  This requires further changes to the
pty driver -- in particular, to immediately recycle pty nodes on last
close so that the credential-related state can be recreated on next
lookup.

Submitted by:	Andrew Reisse <andrew.reisse@sparta.com>
Obtained from:	TrustedBSD Project
Sponsored by:	SPAWAR, SPARTA
MFC after:	1 week
MFC note:	Merge to 6.x, but not 5.x for ABI reasons

1 files changed, 8 insertions, 7 deletions

diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c
index 3a53294..92f6da1 100644
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@@ -63,7 +63,7 @@ static MALLOC_DEFINE(M_PTY, "ptys", "pty data structures");
 static void ptsstart(struct tty *tp);
 static void ptsstop(struct tty *tp, int rw);
 static void ptcwakeup(struct tty *tp, int flag);
-static struct cdev *ptyinit(struct cdev *cdev);
+static struct cdev *ptyinit(struct cdev *cdev, struct thread *td);
 
 static	d_open_t	ptsopen;
 static	d_close_t	ptsclose;
@@ -132,7 +132,7 @@ static char *names = "pqrsPQRS";
  *      than 256 ptys.
  */
 static struct cdev *
-ptyinit(struct cdev *devc)
+ptyinit(struct cdev *devc, struct thread *td)
 {
 	struct cdev *devs;
 	struct ptsc *pt;
@@ -146,7 +146,7 @@ ptyinit(struct cdev *devc)
 	devc->si_flags &= ~SI_CHEAPCLONE;
 
 	pt = malloc(sizeof(*pt), M_PTY, M_WAITOK | M_ZERO);
-	pt->devs = devs = make_dev(&pts_cdevsw, n,
+	pt->devs = devs = make_dev_cred(&pts_cdevsw, n, td->td_ucred,
 	    UID_ROOT, GID_WHEEL, 0666, "tty%c%r", names[n / 32], n % 32);
 	pt->devc = devc;
 
@@ -272,7 +272,7 @@ ptcopen(struct cdev *dev, int flag, int devtype, struct thread *td)
 	struct ptsc *pt;
 
 	if (!dev->si_drv1)
-		ptyinit(dev);
+		ptyinit(dev, td);
 	if (!dev->si_drv1)
 		return(ENXIO);
 	tp = dev->si_tty;
@@ -681,7 +681,8 @@ ptsioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, struct thread *td
 }
 
 static void
-pty_clone(void *arg, char *name, int namelen, struct cdev **dev)
+pty_clone(void *arg, struct ucred *cr, char *name, int namelen,
+    struct cdev **dev)
 {
 	int u;
 
@@ -708,7 +709,7 @@ pty_clone(void *arg, char *name, int namelen, struct cdev **dev)
 		u += name[4] - 'a' + 10;
 	else
 		return;
-	*dev = make_dev(&ptc_cdevsw, u,
+	*dev = make_dev_cred(&ptc_cdevsw, u, cr,
 	    UID_ROOT, GID_WHEEL, 0666, "pty%c%r", names[u / 32], u % 32);
 	dev_ref(*dev);
 	(*dev)->si_flags |= SI_CHEAPCLONE;
@@ -719,7 +720,7 @@ static void
 ptc_drvinit(void *unused)
 {
 
-	EVENTHANDLER_REGISTER(dev_clone, pty_clone, 0, 1000);
+	EVENTHANDLER_REGISTER(dev_clone_cred, pty_clone, 0, 1000);
 }
 
 SYSINIT(ptcdev,SI_SUB_DRIVERS,SI_ORDER_MIDDLE,ptc_drvinit,NULL)