diff options
| -rw-r--r-- | sys/kern/kern_prot.c | 190 | ||||
| -rw-r--r-- | sys/security/mac/mac_framework.h | 18 | ||||
| -rw-r--r-- | sys/security/mac/mac_policy.h | 14 | ||||
| -rw-r--r-- | sys/security/mac/mac_process.c | 137 | ||||
| -rw-r--r-- | sys/security/mac_stub/mac_stub.c | 75 | ||||
| -rw-r--r-- | sys/security/mac_test/mac_test.c | 93 | ||||
| -rw-r--r-- | sys/sys/mac.h | 18 | ||||
| -rw-r--r-- | sys/sys/mac_policy.h | 14 |
8 files changed, 506 insertions, 53 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index d867d53..56ec0dd 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -500,6 +500,12 @@ setuid(struct thread *td, struct setuid_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; +#ifdef MAC + error = mac_check_proc_setuid(p, oldcred, uid); + if (error) + goto fail; +#endif + /* * See if we have "permission" by POSIX 1003.1 rules. * @@ -524,12 +530,8 @@ setuid(struct thread *td, struct setuid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ uid != oldcred->cr_uid && /* allow setuid(geteuid()) */ #endif - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - uifree(uip); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; /* * Copy credentials so other references do not see our changes. @@ -579,6 +581,12 @@ setuid(struct thread *td, struct setuid_args *uap) uifree(uip); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + uifree(uip); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -604,14 +612,18 @@ seteuid(struct thread *td, struct seteuid_args *uap) euip = uifind(euid); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_seteuid(p, oldcred, euid); + if (error) + goto fail; +#endif + if (euid != oldcred->cr_ruid && /* allow seteuid(getuid()) */ euid != oldcred->cr_svuid && /* allow seteuid(saved uid) */ - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - uifree(euip); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; + /* * Everything's okay, do it. Copy credentials so other references do * not see our changes. @@ -626,6 +638,12 @@ seteuid(struct thread *td, struct seteuid_args *uap) uifree(euip); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + uifree(euip); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -650,6 +668,12 @@ setgid(struct thread *td, struct setgid_args *uap) PROC_LOCK(p); oldcred = p->p_ucred; +#ifdef MAC + error = mac_check_proc_setgid(p, oldcred, gid); + if (error) + goto fail; +#endif + /* * See if we have "permission" by POSIX 1003.1 rules. * @@ -668,11 +692,8 @@ setgid(struct thread *td, struct setgid_args *uap) #ifdef POSIX_APPENDIX_B_4_2_2 /* Use BSD-compat clause from B.4.2.2 */ gid != oldcred->cr_groups[0] && /* allow setgid(getegid()) */ #endif - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; crcopy(newcred, oldcred); #ifdef _POSIX_SAVED_IDS @@ -718,6 +739,11 @@ setgid(struct thread *td, struct setgid_args *uap) PROC_UNLOCK(p); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -741,13 +767,18 @@ setegid(struct thread *td, struct setegid_args *uap) newcred = crget(); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setegid(p, oldcred, egid); + if (error) + goto fail; +#endif + if (egid != oldcred->cr_rgid && /* allow setegid(getgid()) */ egid != oldcred->cr_svgid && /* allow setegid(saved gid) */ - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; + crcopy(newcred, oldcred); if (oldcred->cr_groups[0] != egid) { change_egid(newcred, egid); @@ -757,6 +788,11 @@ setegid(struct thread *td, struct setegid_args *uap) PROC_UNLOCK(p); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -789,14 +825,18 @@ setgroups(struct thread *td, struct setgroups_args *uap) newcred = crget(); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setgroups(p, oldcred, ngrp, + tempcred->cr_groups); + if (error) + goto fail; +#endif + error = suser_cred(oldcred, SUSER_ALLOWJAIL); - if (error) { - PROC_UNLOCK(p); - crfree(newcred); - crfree(tempcred); - return (error); - } - + if (error) + goto fail; + /* * XXX A little bit lazy here. We could test if anything has * changed before crcopy() and setting P_SUGID. @@ -821,6 +861,12 @@ setgroups(struct thread *td, struct setgroups_args *uap) crfree(tempcred); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + crfree(newcred); + crfree(tempcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -849,17 +895,20 @@ setreuid(register struct thread *td, struct setreuid_args *uap) ruip = uifind(ruid); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setreuid(p, oldcred, ruid, euid); + if (error) + goto fail; +#endif + if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && ruid != oldcred->cr_svuid) || (euid != (uid_t)-1 && euid != oldcred->cr_uid && euid != oldcred->cr_ruid && euid != oldcred->cr_svuid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - uifree(ruip); - uifree(euip); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; + crcopy(newcred, oldcred); if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { change_euid(newcred, euip); @@ -880,6 +929,13 @@ setreuid(register struct thread *td, struct setreuid_args *uap) uifree(euip); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + uifree(ruip); + uifree(euip); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ @@ -905,15 +961,19 @@ setregid(register struct thread *td, struct setregid_args *uap) newcred = crget(); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setregid(p, oldcred, rgid, egid); + if (error) + goto fail; +#endif + if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && rgid != oldcred->cr_svgid) || (egid != (gid_t)-1 && egid != oldcred->cr_groups[0] && egid != oldcred->cr_rgid && egid != oldcred->cr_svgid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; crcopy(newcred, oldcred); if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { @@ -933,6 +993,11 @@ setregid(register struct thread *td, struct setregid_args *uap) PROC_UNLOCK(p); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + crfree(newcred); + return (error); } /* @@ -968,6 +1033,13 @@ setresuid(register struct thread *td, struct setresuid_args *uap) ruip = uifind(ruid); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setresuid(p, oldcred, ruid, euid, suid); + if (error) + goto fail; +#endif + if (((ruid != (uid_t)-1 && ruid != oldcred->cr_ruid && ruid != oldcred->cr_svuid && ruid != oldcred->cr_uid) || @@ -977,13 +1049,8 @@ setresuid(register struct thread *td, struct setresuid_args *uap) (suid != (uid_t)-1 && suid != oldcred->cr_ruid && suid != oldcred->cr_svuid && suid != oldcred->cr_uid)) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - uifree(ruip); - uifree(euip); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; crcopy(newcred, oldcred); if (euid != (uid_t)-1 && oldcred->cr_uid != euid) { @@ -1004,6 +1071,14 @@ setresuid(register struct thread *td, struct setresuid_args *uap) uifree(euip); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + uifree(ruip); + uifree(euip); + crfree(newcred); + return (error); + } /* @@ -1036,6 +1111,13 @@ setresgid(register struct thread *td, struct setresgid_args *uap) newcred = crget(); PROC_LOCK(p); oldcred = p->p_ucred; + +#ifdef MAC + error = mac_check_proc_setresgid(p, oldcred, rgid, egid, sgid); + if (error) + goto fail; +#endif + if (((rgid != (gid_t)-1 && rgid != oldcred->cr_rgid && rgid != oldcred->cr_svgid && rgid != oldcred->cr_groups[0]) || @@ -1045,11 +1127,8 @@ setresgid(register struct thread *td, struct setresgid_args *uap) (sgid != (gid_t)-1 && sgid != oldcred->cr_rgid && sgid != oldcred->cr_svgid && sgid != oldcred->cr_groups[0])) && - (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) { - PROC_UNLOCK(p); - crfree(newcred); - return (error); - } + (error = suser_cred(oldcred, SUSER_ALLOWJAIL)) != 0) + goto fail; crcopy(newcred, oldcred); if (egid != (gid_t)-1 && oldcred->cr_groups[0] != egid) { @@ -1068,6 +1147,11 @@ setresgid(register struct thread *td, struct setresgid_args *uap) PROC_UNLOCK(p); crfree(oldcred); return (0); + +fail: + PROC_UNLOCK(p); + crfree(newcred); + return (error); } #ifndef _SYS_SYSPROTO_H_ diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h index 055a5ad..3e6e53e 100644 --- a/sys/security/mac/mac_framework.h +++ b/sys/security/mac/mac_framework.h @@ -330,6 +330,24 @@ int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); +int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, + uid_t uid); +int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, + uid_t euid); +int mac_check_proc_setgid(struct proc *proc, struct ucred *cred, + gid_t gid); +int mac_check_proc_setegid(struct proc *proc, struct ucred *cred, + gid_t egid); +int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, + int ngroups, gid_t *gidset); +int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid); +int mac_check_proc_setregid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid); +int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid, uid_t suid); +int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_socket_bind(struct ucred *cred, struct socket *so, diff --git a/sys/security/mac/mac_policy.h b/sys/security/mac/mac_policy.h index 036c7a9..910690a 100644 --- a/sys/security/mac/mac_policy.h +++ b/sys/security/mac/mac_policy.h @@ -408,6 +408,20 @@ struct mac_policy_ops { struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, struct proc *proc); + int (*mpo_check_proc_setuid)(struct ucred *cred, uid_t uid); + int (*mpo_check_proc_seteuid)(struct ucred *cred, uid_t euid); + int (*mpo_check_proc_setgid)(struct ucred *cred, gid_t gid); + int (*mpo_check_proc_setegid)(struct ucred *cred, gid_t egid); + int (*mpo_check_proc_setgroups)(struct ucred *cred, int ngroups, + gid_t *gidset); + int (*mpo_check_proc_setreuid)(struct ucred *cred, uid_t ruid, + uid_t euid); + int (*mpo_check_proc_setregid)(struct ucred *cred, gid_t rgid, + gid_t egid); + int (*mpo_check_proc_setresuid)(struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid); + int (*mpo_check_proc_setresgid)(struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); int (*mpo_check_socket_bind)(struct ucred *cred, diff --git a/sys/security/mac/mac_process.c b/sys/security/mac/mac_process.c index 4f3a6c0..8dda7b1 100644 --- a/sys/security/mac/mac_process.c +++ b/sys/security/mac/mac_process.c @@ -2,6 +2,7 @@ * Copyright (c) 1999-2002 Robert N. M. Watson * Copyright (c) 2001 Ilmar S. Habibulin * Copyright (c) 2001-2003 Networks Associates Technology, Inc. + * Copyright (c) 2005 Samy Al Bahra * All rights reserved. * * This software was developed by Robert Watson and Ilmar Habibulin for the @@ -85,6 +86,11 @@ SYSCTL_INT(_security_mac, OID_AUTO, mmap_revocation_via_cow, CTLFLAG_RW, &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " "copy-on-write semantics, or by removing all write access"); +static int mac_enforce_suid = 1; +SYSCTL_INT(_security_mac, OID_AUTO, enforce_suid, CTLFLAG_RW, + &mac_enforce_suid, 0, "Enforce MAC policy on suid/sgid operations"); +TUNABLE_INT("security.mac.enforce_suid", &mac_enforce_suid); + #ifdef MAC_DEBUG static unsigned int nmaccreds, nmacprocs; SYSCTL_UINT(_security_mac_debug_counters, OID_AUTO, creds, CTLFLAG_RD, @@ -513,3 +519,134 @@ mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) return (error); } + +int +mac_check_proc_setuid(struct proc *proc, struct ucred *cred, uid_t uid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setuid, cred, uid); + return (error); +} + +int +mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, uid_t euid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_seteuid, cred, euid); + return (error); +} + +int +mac_check_proc_setgid(struct proc *proc, struct ucred *cred, gid_t gid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setgid, cred, gid); + return (error); +} + +int +mac_check_proc_setegid(struct proc *proc, struct ucred *cred, gid_t egid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setegid, cred, egid); + return (error); +} + +int +mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, + int ngroups, gid_t *gidset) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setgroups, cred, ngroups, gidset); + return (error); +} + +int +mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, uid_t ruid, + uid_t euid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setreuid, cred, ruid, euid); + return (error); +} + +int +mac_check_proc_setregid(struct proc *proc, struct ucred *cred, gid_t rgid, + gid_t egid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setregid, cred, rgid, egid); + return (error); +} + +int +mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setresuid, cred, ruid, euid, suid); + return (error); +} + +int +mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid) +{ + int error; + + PROC_LOCK_ASSERT(proc, MA_OWNED); + + if (!mac_enforce_suid) + return (0); + + MAC_CHECK(check_proc_setresgid, cred, rgid, egid, sgid); + return (error); +} diff --git a/sys/security/mac_stub/mac_stub.c b/sys/security/mac_stub/mac_stub.c index 35e3c34..cc93edf 100644 --- a/sys/security/mac_stub/mac_stub.c +++ b/sys/security/mac_stub/mac_stub.c @@ -842,6 +842,72 @@ stub_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) } static int +stub_check_proc_setuid(struct ucred *cred, uid_t uid) +{ + + return (0); +} + +static int +stub_check_proc_seteuid(struct ucred *cred, uid_t euid) +{ + + return (0); +} + +static int +stub_check_proc_setgid(struct ucred *cred, gid_t gid) +{ + + return (0); +} + +static int +stub_check_proc_setegid(struct ucred *cred, gid_t egid) +{ + + return (0); +} + +static int +stub_check_proc_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset) +{ + + return (0); +} + +static int +stub_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + + return (0); +} + +static int +stub_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + return (0); +} + +static int +stub_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + + return (0); +} + +static int +stub_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + + return (0); +} + +static int stub_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -1341,6 +1407,15 @@ static struct mac_policy_ops mac_stub_ops = .mpo_check_pipe_write = stub_check_pipe_write, .mpo_check_proc_debug = stub_check_proc_debug, .mpo_check_proc_sched = stub_check_proc_sched, + .mpo_check_proc_setuid = stub_check_proc_setuid, + .mpo_check_proc_seteuid = stub_check_proc_seteuid, + .mpo_check_proc_setgid = stub_check_proc_setgid, + .mpo_check_proc_setegid = stub_check_proc_setegid, + .mpo_check_proc_setgroups = stub_check_proc_setgroups, + .mpo_check_proc_setreuid = stub_check_proc_setreuid, + .mpo_check_proc_setregid = stub_check_proc_setregid, + .mpo_check_proc_setresuid = stub_check_proc_setresuid, + .mpo_check_proc_setresgid = stub_check_proc_setresgid, .mpo_check_proc_signal = stub_check_proc_signal, .mpo_check_socket_bind = stub_check_socket_bind, .mpo_check_socket_connect = stub_check_socket_connect, diff --git a/sys/security/mac_test/mac_test.c b/sys/security/mac_test/mac_test.c index d2555bc..4c77874 100644 --- a/sys/security/mac_test/mac_test.c +++ b/sys/security/mac_test/mac_test.c @@ -1707,6 +1707,90 @@ mac_test_check_proc_signal(struct ucred *cred, struct proc *proc, int signum) } static int +mac_test_check_proc_setuid(struct ucred *cred, uid_t uid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_seteuid(struct ucred *cred, uid_t euid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setgid(struct ucred *cred, gid_t gid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setegid(struct ucred *cred, gid_t egid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setgroups(struct ucred *cred, int ngroups, + gid_t *gidset) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setreuid(struct ucred *cred, uid_t ruid, uid_t euid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setregid(struct ucred *cred, gid_t rgid, gid_t egid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setresuid(struct ucred *cred, uid_t ruid, uid_t euid, + uid_t suid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int +mac_test_check_proc_setresgid(struct ucred *cred, gid_t rgid, gid_t egid, + gid_t sgid) +{ + + ASSERT_CRED_LABEL(cred->cr_label); + + return (0); +} + +static int mac_test_check_socket_bind(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { @@ -2357,6 +2441,15 @@ static struct mac_policy_ops mac_test_ops = .mpo_check_pipe_write = mac_test_check_pipe_write, .mpo_check_proc_debug = mac_test_check_proc_debug, .mpo_check_proc_sched = mac_test_check_proc_sched, + .mpo_check_proc_setuid = mac_test_check_proc_setuid, + .mpo_check_proc_seteuid = mac_test_check_proc_seteuid, + .mpo_check_proc_setgid = mac_test_check_proc_setgid, + .mpo_check_proc_setegid = mac_test_check_proc_setegid, + .mpo_check_proc_setgroups = mac_test_check_proc_setgroups, + .mpo_check_proc_setreuid = mac_test_check_proc_setreuid, + .mpo_check_proc_setregid = mac_test_check_proc_setregid, + .mpo_check_proc_setresuid = mac_test_check_proc_setresuid, + .mpo_check_proc_setresgid = mac_test_check_proc_setresgid, .mpo_check_proc_signal = mac_test_check_proc_signal, .mpo_check_socket_bind = mac_test_check_socket_bind, .mpo_check_socket_connect = mac_test_check_socket_connect, diff --git a/sys/sys/mac.h b/sys/sys/mac.h index 055a5ad..3e6e53e 100644 --- a/sys/sys/mac.h +++ b/sys/sys/mac.h @@ -330,6 +330,24 @@ int mac_check_pipe_stat(struct ucred *cred, struct pipepair *pp); int mac_check_pipe_write(struct ucred *cred, struct pipepair *pp); int mac_check_proc_debug(struct ucred *cred, struct proc *proc); int mac_check_proc_sched(struct ucred *cred, struct proc *proc); +int mac_check_proc_setuid(struct proc *proc, struct ucred *cred, + uid_t uid); +int mac_check_proc_seteuid(struct proc *proc, struct ucred *cred, + uid_t euid); +int mac_check_proc_setgid(struct proc *proc, struct ucred *cred, + gid_t gid); +int mac_check_proc_setegid(struct proc *proc, struct ucred *cred, + gid_t egid); +int mac_check_proc_setgroups(struct proc *proc, struct ucred *cred, + int ngroups, gid_t *gidset); +int mac_check_proc_setreuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid); +int mac_check_proc_setregid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid); +int mac_check_proc_setresuid(struct proc *proc, struct ucred *cred, + uid_t ruid, uid_t euid, uid_t suid); +int mac_check_proc_setresgid(struct proc *proc, struct ucred *cred, + gid_t rgid, gid_t egid, gid_t sgid); int mac_check_proc_signal(struct ucred *cred, struct proc *proc, int signum); int mac_check_socket_bind(struct ucred *cred, struct socket *so, diff --git a/sys/sys/mac_policy.h b/sys/sys/mac_policy.h index 036c7a9..910690a 100644 --- a/sys/sys/mac_policy.h +++ b/sys/sys/mac_policy.h @@ -408,6 +408,20 @@ struct mac_policy_ops { struct proc *proc); int (*mpo_check_proc_sched)(struct ucred *cred, struct proc *proc); + int (*mpo_check_proc_setuid)(struct ucred *cred, uid_t uid); + int (*mpo_check_proc_seteuid)(struct ucred *cred, uid_t euid); + int (*mpo_check_proc_setgid)(struct ucred *cred, gid_t gid); + int (*mpo_check_proc_setegid)(struct ucred *cred, gid_t egid); + int (*mpo_check_proc_setgroups)(struct ucred *cred, int ngroups, + gid_t *gidset); + int (*mpo_check_proc_setreuid)(struct ucred *cred, uid_t ruid, + uid_t euid); + int (*mpo_check_proc_setregid)(struct ucred *cred, gid_t rgid, + gid_t egid); + int (*mpo_check_proc_setresuid)(struct ucred *cred, uid_t ruid, + uid_t euid, uid_t suid); + int (*mpo_check_proc_setresgid)(struct ucred *cred, gid_t rgid, + gid_t egid, gid_t sgid); int (*mpo_check_proc_signal)(struct ucred *cred, struct proc *proc, int signum); int (*mpo_check_socket_bind)(struct ucred *cred, |
