diff options
author | pjd <pjd@FreeBSD.org> | 2012-11-27 10:38:11 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2012-11-27 10:38:11 +0000 |
commit | e4de9f38a2347467d9d4f2c158d49b3c226031c7 (patch) | |
tree | ec9ff180b15782f20e372b01e51048a0ba0f2dc0 /sys/kern | |
parent | 7a831b4b8cd8e6d31377b49c6c08ad2bc20848ac (diff) | |
download | FreeBSD-src-e4de9f38a2347467d9d4f2c158d49b3c226031c7.zip FreeBSD-src-e4de9f38a2347467d9d4f2c158d49b3c226031c7.tar.gz |
Add kern.capmode_coredump sysctl/tunable to allow processes in capability mode
to dump core.
Reviewed by: rwatson
Obtained from: WHEEL Systems
MFC after: 2 weeks
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_sig.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c index a0b5809..541ea2b 100644 --- a/sys/kern/kern_sig.c +++ b/sys/kern/kern_sig.c @@ -175,6 +175,11 @@ TUNABLE_INT("kern.sugid_coredump", &sugid_coredump); SYSCTL_INT(_kern, OID_AUTO, sugid_coredump, CTLFLAG_RW, &sugid_coredump, 0, "Allow setuid and setgid processes to dump core"); +static int capmode_coredump; +TUNABLE_INT("kern.capmode_coredump", &capmode_coredump); +SYSCTL_INT(_kern, OID_AUTO, capmode_coredump, CTLFLAG_RW, + &capmode_coredump, 0, "Allow processes in capability mode to dump core"); + static int do_coredump = 1; SYSCTL_INT(_kern, OID_AUTO, coredump, CTLFLAG_RW, &do_coredump, 0, "Enable/Disable coredumps"); @@ -3134,12 +3139,17 @@ nomem: int error, n; int flags = O_CREAT | O_EXCL | FWRITE | O_NOFOLLOW; int cmode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP; + int oflags = 0; + + if (capmode_coredump) + oflags = VN_OPEN_NOCAPCHECK; for (n = 0; n < num_cores; n++) { temp[indexpos] = '0' + n; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, temp, td); - error = vn_open(&nd, &flags, cmode, NULL); + error = vn_open_cred(&nd, &flags, cmode, oflags, + td->td_ucred, NULL); if (error) { if (error == EEXIST) continue; @@ -3241,7 +3251,8 @@ coredump(struct thread *td) restart: NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, td); flags = O_CREAT | FWRITE | O_NOFOLLOW; - error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR, VN_OPEN_NOAUDIT, + error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR, + VN_OPEN_NOAUDIT | (capmode_coredump ? VN_OPEN_NOCAPCHECK : 0), cred, NULL); if (error) { #ifdef AUDIT |