diff options
| author | rwatson <rwatson@FreeBSD.org> | 2005-04-18 13:36:57 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2005-04-18 13:36:57 +0000 |
| commit | 75030e30f64232f9490b244e2925b347d7bf669c (patch) | |
| tree | edb79f235bf4b33075b9d7e39ce462e142125e48 /sys/security | |
| parent | 8694c5f46241d5fb117c7feed17f9896b6f9e730 (diff) | |
| download | FreeBSD-src-75030e30f64232f9490b244e2925b347d7bf669c.zip FreeBSD-src-75030e30f64232f9490b244e2925b347d7bf669c.tar.gz | |
Introduce p_canwait() and MAC Framework and MAC Policy entry points
mac_check_proc_wait(), which control the ability to wait4() specific
processes. This permits MAC policies to limit information flow from
children that have changed label, although has to be handled carefully
due to common programming expectations regarding the behavior of
wait4(). The cr_seeotheruids() check in p_canwait() is #if 0'd for
this reason.
The mac_stub and mac_test policies are updated to reflect these new
entry points.
Sponsored by: SPAWAR, SPARTA
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/security')
| -rw-r--r-- | sys/security/mac/mac_framework.h | 1 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 2 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 15 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 8 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 11 |
5 files changed, 37 insertions, 0 deletions
diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index f72733d..8e5037a 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -351,6 +351,7 @@ int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); +int mac_check_proc_wait(struct ucred *cred, struct proc *proc); int mac_check_socket_accept(struct ucred *cred, struct socket *so); int mac_check_socket_bind(struct ucred *cred, struct socket *so, struct sockaddr *sockaddr); diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 402d622..e519cb3 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -424,6 +424,8 @@ struct mac_policy_ops { gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); + int (*mpo_check_proc_wait)(struct ucred *cred, + struct proc *proc); int (*mpo_check_socket_accept)(struct ucred *cred, struct socket *so, struct label *socketlabel); int (*mpo_check_socket_bind)(struct ucred *cred, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 8dda7b1..436c55b 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -650,3 +650,18 @@ mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); return (error); } + +int +mac_check_proc_wait(struct ucred *cred, struct proc *proc) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_process) + return (0); + + MAC_CHECK(check_proc_wait, cred, proc); + + return (error); +} diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 9a7f567..64a06d9 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -842,6 +842,13 @@ stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) } static int +stub_check_proc_wait(struct ucred *cred, struct proc *proc) +{ + + return (0); +} + +static int stub_check_proc_setuid(struct ucred *cred, uid_t uid) { @@ -1456,6 +1463,7 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_proc_setresuid = stub_check_proc_setresuid, .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, + .mpo_check_proc_wait = stub_check_proc_wait, .mpo_check_socket_accept = stub_check_socket_accept, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index 1ce97a3..b2fa853 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1791,6 +1791,16 @@ mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, } static int +mac_test_check_proc_wait(struct ucred *cred, struct proc *proc) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + ASSERT_CRED_LABEL(proc->p_ucred->cr_label); + + return (0); +} + +static int mac_test_check_socket_accept(struct ucred *cred, struct socket *socket, struct label *socketlabel) { @@ -2506,6 +2516,7 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, .mpo_check_proc_signal = mac_test_check_proc_signal, + .mpo_check_proc_wait = mac_test_check_proc_wait, .mpo_check_socket_accept = mac_test_check_socket_accept, .mpo_check_socket_bind = mac_test_check_socket_bind, .mpo_check_socket_connect = mac_test_check_socket_connect, |
