diff options
author | rwatson <rwatson@FreeBSD.org> | 2005-04-16 13:29:15 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2005-04-16 13:29:15 +0000 |
commit | 51183f0f84c55dbff5987158aa92cc12382f45c9 (patch) | |
tree | e1ac2c88c9e8206122edd042d8c77dd7a8d385b4 /sys/security/mac/mac_process.c | |
parent | 8973ecaa77eb9d84b96a485dfdc1fffc5276fd2a (diff) | |
download | FreeBSD-src-51183f0f84c55dbff5987158aa92cc12382f45c9.zip FreeBSD-src-51183f0f84c55dbff5987158aa92cc12382f45c9.tar.gz |
Introduce new MAC Framework and MAC Policy entry points to control the use
of system calls to manipulate elements of the process credential,
including:
setuid() mac_check_proc_setuid()
seteuid() mac_check_proc_seteuid()
setgid() mac_check_proc_setgid()
setegid() mac_check_proc_setegid()
setgroups() mac_check_proc_setgroups()
setreuid() mac_check_proc_setreuid()
setregid() mac_check_proc_setregid()
setresuid() mac_check_proc_setresuid()
setresgid() mac_check_rpoc_setresgid()
MAC checks are performed before other existing security checks; both
current credential and intended modifications are passed as arguments
to the entry points. The mac_test and mac_stub policies are updated.
Submitted by: Samy Al Bahra <samy@kerneled.org>
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security/mac/mac_process.c')
-rw-r--r-- | sys/security/mac/mac_process.c | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 4f3a6c0..8dda7b1 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2005 Samy Al Bahra * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -85,6 +86,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); +static int mac_enforce_suid = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW, + &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations"); +TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid); + #ifdef MAC_DEBUG static unsigned int nmaccreds, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, @@ -513,3 +519,134 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) return (error); } + +int +mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setuid, cred, uid); + return (error); +} + +int +mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_seteuid, cred, euid); + return (error); +} + +int +mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setgid, cred, gid); + return (error); +} + +int +mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setegid, cred, egid); + return (error); +} + +int +mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, + int ngroups, gid_t *gidset) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); + return (error); +} + +int +mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid, + uid_t euid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + return (error); +} + +int +mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, + gid_t egid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setregid, cred, rgid, egid); + return (error); +} + +int +mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); + return (error); +} + +int +mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + return (error); +} |