diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-07-31 15:48:21 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-07-31 15:48:21 +0000 |
| commit | 09d5fb71b92aaa23b0684d38eed9c37cbca3baba (patch) | |
| tree | 3794826d9ee10b83fec73459246b9ac89ef323ec /sys | |
| parent | 78d96e6b4da682605cbae3b774c618bf9c2964c4 (diff) | |
| download | FreeBSD-src-09d5fb71b92aaa23b0684d38eed9c37cbca3baba.zip FreeBSD-src-09d5fb71b92aaa23b0684d38eed9c37cbca3baba.tar.gz | |
o Introduce new kern.security sysctl tree for kernel security policy
MIB entries.
o Relocate kern.suser_permitted to kern.security.suser_permitted.
o Introduce new kern.security.unprivileged_procdebug_permitted, which
(when set to 0) prevents processes without privilege from performing
a variety of inter-process debugging activities. The default is 1,
to provide current behavior.
This feature allows "hardened" systems to disable access to debugging
facilities, which have been associated with a number of past security
vulnerabilities. Previously, while procfs could be unmounted, other
in-kernel facilities (such as ptrace()) were still available. This
setting should not be modified on normal development systems, as it
will result in frustration. Some utilities respond poorly to
failing to get the debugging access they require, and error response
by these utilities may be improved in the future in the name of
beautification.
Note that there are currently some odd interactions with some
facilities, which will need to be resolved before this should be used
in production, including odd interactions with truss and ktrace.
Note also that currently, tracing is permitted on the current process
regardless of this flag, for compatibility with previous
authorization code in various facilities, but that will probably
change (and resolve the odd interactions).
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_prot.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 1c6ce77..a10d3da 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -62,6 +62,9 @@ static MALLOC_DEFINE(M_CRED, "cred", "credentials"); +SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, + "Kernel security policy"); + #ifndef _SYS_SYSPROTO_H_ struct getpid_args { int dummy; @@ -1027,8 +1030,8 @@ groupmember(gid, cred) static int suser_permitted = 1; -SYSCTL_INT(_kern, OID_AUTO, suser_permitted, CTLFLAG_RW, &suser_permitted, 0, - "processes with uid 0 have privilege"); +SYSCTL_INT(_kern_security, OID_AUTO, suser_permitted, CTLFLAG_RW, + &suser_permitted, 0, "processes with uid 0 have privilege"); /* * Test whether the specified credentials imply "super-user" @@ -1191,6 +1194,11 @@ p_cansched(struct proc *p1, struct proc *p2) return (EPERM); } +static int kern_unprivileged_procdebug_permitted = 1; +SYSCTL_INT(_kern_security, OID_AUTO, unprivileged_procdebug_permitted, + CTLFLAG_RW, &kern_unprivileged_procdebug_permitted, 0, + "Unprivileged processes may use process debugging facilities"); + int p_candebug(struct proc *p1, struct proc *p2) { @@ -1207,7 +1215,7 @@ p_candebug(struct proc *p1, struct proc *p2) if (p1->p_ucred->cr_uid != p2->p_ucred->cr_uid || p1->p_ucred->cr_uid != p2->p_ucred->cr_svuid || p1->p_ucred->cr_uid != p2->p_ucred->cr_ruid || - p2->p_flag & P_SUGID) + p2->p_flag & P_SUGID || !kern_unprivileged_procdebug_permitted) if ((error = suser_xxx(0, p1, PRISON_ROOT))) return (error); |
