summaryrefslogtreecommitdiffstats
path: root/sys/kern/kern_prot.c
Commit message (Collapse)AuthorAgeFilesLines
* Don't grab Giant in crfree(), since prison_free() no longer requires it.rwatson2004-01-231-3/+1
| | | | | | | | | | | | | | The uidinfo code appears to be MPSAFE, and is referenced without Giant elsewhere. While this grab of Giant was only made in fairly rare circumstances (actually GC'ing on refcount==0), grabbing Giant here potentially introduces lock order issues with any locks held by the caller. So this probably won't help performance much unless you change credentials a lot in an application, and leave a lot of file descriptors and cached credentials around. However, it simplifies locking down consumers of the credential interfaces. Bumped into by: sam Appeased: tjr
* Rename mac_create_cred() MAC Framework entry point to mac_copy_cred(),rwatson2003-12-061-1/+1
| | | | | | | | | | | | | and the mpo_create_cred() MAC policy entry point to mpo_copy_cred_label(). This is more consistent with similar entry points for creation and label copying, as mac_create_cred() was called from crdup() as opposed to during process creation. For a number of policies, this removes the requirement for special handling when copying credential labels, and improves consistency. Approved by: re (scottl) Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* Add a sysctl, security.bsd.see_other_gids, similar in semanticsrwatson2003-11-171-2/+51
| | | | | | | to see_other_uids but with the logical conversion. This is based on (but not identical to) the patch submitted by Samy Al Bahra. Submitted by: Samy Al Bahra <samy@kerneled.com>
* Writes to p_flag in __setugid() no longer need Giant.jhb2003-10-231-4/+0
|
* Add a new sysctl, security.bsd.conservative_signals, to disablerwatson2003-09-141-1/+16
| | | | | | | | | | | | special signal-delivery protections for setugid processes. In the event that a system is relying on "unusual" signal delivery to processes that change their credentials, this can be used to work around application problems. Also, add SIGALRM to the set of signals permitted to be delivered to setugid processes by unprivileged subjects. Reported by: Joe Greco <jgreco@ns.sol.net>
* Extend the mutex pool implementation to permit the creation and use oftruckman2003-07-131-1/+1
| | | | | | | | | | | | | | | | multiple mutex pools with different options and sizes. Mutex pools can be created with either the default sleep mutexes or with spin mutexes. A dynamically created mutex pool can now be destroyed if it is no longer needed. Create two pools by default, one that matches the existing pool that uses the MTX_NOWITNESS option that should be used for building higher level locks, and a new pool with witness checking enabled. Modify the users of the existing mutex pool to use the appropriate pool in the new implementation. Reviewed by: jhb
* In setpgrp(), don't assume a pgrp won't exist if the provided pgid is the samecognet2003-07-041-12/+13
| | | | | | | as the target process' pid, it may exist if the process forked before leaving the pgrp. Thix fixes a panic that happens when calling setpgid to make a process re-enter the pgrp with the same pgid as its pid if the pgrp still exists.
* At this point targp will always be NULL, so remove the useless if.cognet2003-06-251-2/+0
|
* Various cr*() calls believed to be MPSAFE, since the uidinforwatson2003-06-151-0/+8
| | | | code is locked down.
* Use __FBSDID().obrien2003-06-111-1/+3
|
* The issetugid() function is MPSAFE.jhb2003-06-091-1/+1
|
* Remove Giant from the setuid(), seteuid(), setgid(), setegid(),jhb2003-05-011-30/+0
| | | | | setgroups(), setreuid(), setregid(), setresuid(), and setresgid() syscalls as well as the cred_update_thread() function.
* Remove Giant from getpgid() and getsid() and tweak the logic to morejhb2003-04-251-30/+28
| | | | closely match that of 4.x.
* Back out M_* changes, per decision of the TRB.imp2003-02-191-4/+4
| | | | Approved by: trb
* Remove mtx_lock_giant from functions which are mp-safe.jake2003-02-101-9/+0
|
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-211-4/+4
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* Include file cleanup; mac.h and malloc.h at one point had orderingrwatson2002-08-011-1/+1
| | | | | | relationship requirements, and no longer do. Reminded by: bde
* Introduce support for Mandatory Access Control and extensiblerwatson2002-07-311-3/+21
| | | | | | | | | | | | kernel access control. Implement inter-process access control entry points for the MAC framework. This permits policy modules to augment the decision making process for process and socket visibility, process debugging, re-scheduling, and signaling. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Introduce support for Mandatory Access Control and extensiblerwatson2002-07-311-0/+11
| | | | | | | | | | | | | | kernel access control. Invoke the necessary MAC entry points to maintain labels on process credentials. In particular, invoke entry points for the initialization and destruction of struct ucred, the copying of struct ucred, and permit the initial labels to be set for both process 0 (parent of all kernel processes) and process 1 (parent of all user processes). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Revert removal of cred_free_thread(): It is used to ensure that a thread'smini2002-07-111-0/+13
| | | | | | | credentials are not improperly borrowed when the thread is not current in the kernel. Requested by: jhb, alfred
* More caddr_t removal, make fo_ioctl take a void * instead of a caddr_t.alfred2002-06-291-20/+17
|
* Remove unused diagnostic function cread_free_thread().mini2002-06-241-13/+0
| | | | Approved by: alfred
* Squish the "could sleep with process lock" messages caused by callingalfred2002-06-191-14/+40
| | | | | | | | | | | | | | | | | | | | uifind() with a proc lock held. change_ruid() and change_euid() have been modified to take a uidinfo structure which will be pre-allocated by callers, they will then call uihold() on the uidinfo structure so that the caller's logic is simplified. This allows one to call uifind() before locking the proc struct and thereby avoid a potential blocking allocation with the proc lock held. This may need revisiting, perhaps keeping a spare uidinfo allocated per process to handle this situation or re-examining if the proc lock needs to be held over the entire operation of changing real or effective user id. Submitted by: Don Lewis <dl-freebsd@catspoiler.org>
* setsugid() touches p->p_flag so assert that the proc is locked.alfred2002-06-181-0/+2
|
* Change p_can{debug,see,sched,signal}()'s first argument to be a threadjhb2002-05-191-60/+69
| | | | | | | pointer instead of a proc pointer and require the process pointed to by the second argument to be locked. We now use the thread ucred reference for the credential checks in p_can*() as a result. p_canfoo() should now no longer need Giant.
* As malloc(9) and free(9) are now Giant-free, remove the Giant locktanimura2002-05-031-16/+5
| | | | across malloc(9) and free(9) of a pgrp or a session.
* Push down Giant for setpgid(), setsid() and aio_daemon(). Giant protects onlytanimura2002-04-201-11/+14
| | | | malloc(9) and free(9).
* - Lock proctree_lock instead of pgrpsess_lock.jhb2002-04-161-35/+20
| | | | - Simplify return logic of setsid() and setpgid().
* - Change the algorithms of the syscalls to modify process credentials tojhb2002-04-131-83/+137
| | | | | | | | | | | | allocate a blank cred first, lock the process, perform checks on the old process credential, copy the old process credential into the new blank credential, modify the new credential, update the process credential pointer, unlock the process, and cleanup rather than trying to allocate a new credential after performing the checks on the old credential. - Cleanup _setugid() a little bit. - setlogin() doesn't need Giant thanks to pgrp/session locking and td_ucred.
* - Axe a stale comment. We haven't allowed the ucred pointer passed tojhb2002-04-031-9/+2
| | | | | | | | securelevel_*() to be NULL for a while now. - Use KASSERT() instead of if (foo) panic(); to optimize the !INVARIANTS case. Submitted by: Martin Faxer <gmh003532@brfmasthugget.se>
* Change the suser() API to take advantage of td_ucred as well as do ajhb2002-04-011-53/+32
| | | | | | | | | | | | general cleanup of the API. The entire API now consists of two functions similar to the pre-KSE API. The suser() function takes a thread pointer as its only argument. The td_ucred member of this thread must be valid so the only valid thread pointers are curthread and a few kernel threads such as thread0. The suser_cred() function takes a pointer to a struct ucred as its first argument and an integer flag as its second argument. The flag is currently only used for the PRISON_ROOT flag. Discussed on: smp@
* Whitespace only change: use ANSI function declarations instead of K&R.jhb2002-04-011-130/+46
|
* Fix style bug in previous commit.jhb2002-04-011-1/+1
|
* Compromise for critical*()/cpu_critical*() recommit. Cleanup the interruptdillon2002-03-271-12/+11
| | | | | | | | | | | | | | | | | | | disablement assumptions in kern_fork.c by adding another API call, cpu_critical_fork_exit(). Cleanup the td_savecrit field by moving it from MI to MD. Temporarily move cpu_critical*() from <arch>/include/cpufunc.h to <arch>/<arch>/critical.c (stage-2 will clean this up). Implement interrupt deferral for i386 that allows interrupts to remain enabled inside critical sections. This also fixes an IPI interlock bug, and requires uses of icu_lock to be enclosed in a true interrupt disablement. This is the stage-1 commit. Stage-2 will occur after stage-1 has stabilized, and will move cpu_critical*() into its own header file(s) + other things. This commit may break non-i386 architectures in trivial ways. This should be temporary. Reviewed by: core Approved by: core
* Use td_ucred in several trivial syscalls and remove Giant locking asjhb2002-03-221-32/+16
| | | | appropriate.
* Use explicit Giant locks and unlocks for rather than instrumented ones forjhb2002-03-221-6/+5
| | | | | | code that is still not safe. suser() reads p_ucred so it still needs Giant for the time being. This should allow kern.giant.proc to be set to 0 for the time being.
* Merge from TrustedBSD MAC branch:rwatson2002-03-221-0/+23
| | | | | | | | | | | | | | Move the network code from using cr_cansee() to check whether a socket is visible to a requesting credential to using a new function, cr_canseesocket(), which accepts a subject credential and object socket. Implement cr_canseesocket() so that it does a prison check, a uid check, and add a comment where shortly a MAC hook will go. This will allow MAC policies to seperately instrument the visibility of sockets from the visibility of processes. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Since cred never appears to be passed into the securelevel calls asrwatson2002-03-221-2/+2
| | | | | | | | | | | | | | NULL, turn warning printf's into panic's, since this call has been restructured such that a NULL cred would result in a page fault anyway. There appears to be one case where NULL is explicitly passed in in the sysctl code, and this is believed to be in error, so will be modified. Securelevels now always require a credential context so that per-jail securelevels are properly implemented. Obtained from: TrustedBSD Project Sponsored by: NAI Labs Discussed with: bde
* Break out the "see_other_uids" policy check from the variousrwatson2002-03-221-4/+28
| | | | | | | | | | | | | method-based inter-process security checks. To do this, introduce a new cr_seeotheruids(u1, u2) function, which encapsulates the "see_other_uids" logic. Call out to this policy following the jail security check for all of {debug,sched,see,signal} inter-process checks. This more consistently enforces the check, and makes the check easy to modify. Eventually, it may be that this check should become a MAC policy, loaded via a module. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* - Push down Giant into crfree() in the case that we actually free a ucred.jhb2002-03-201-0/+15
| | | | | | - Add a cred_free_thread() function (conditional on DIAGNOSTICS) that drops a per-thread ucred reference to be used in debugging code when leaving the kernel.
* Stop abusing the pgrpsess_lock.tanimura2002-03-111-2/+0
|
* Temporarily lock Giant while we update td_ucred. The proc lock doesn'tjhb2002-02-271-6/+6
| | | | | | | | | | fully protect p_ucred yet so Giant is needed until all the p_ucred locking is done. This is the original reason td_ucred was not used immediately after its addition. Unfortunately, not using td_ucred is not enough to avoid problems. Since p_ucred could be stale, we could actually be dereferencing a stale pointer to dink with the refcount, so we really need Giant to avoid foot-shooting. This allows td_ucred to be safely used as well.
* Return ESRCH if the target process is not inferior to the curproc.tanimura2002-02-271-0/+2
| | | | Spotted by: HIROSHI OOTA <oota@LSi.nec.co.jp>
* Introduce a version field to `struct xucred' in place of one of thedd2002-02-271-0/+16
| | | | | | | | | | | | spares (the size of the field was changed from u_short to u_int to reflect what it really ends up being). Accordingly, change users of xucred to set and check this field as appropriate. In the kernel, this is being done inside the new cru2x() routine which takes a `struct ucred' and fills out a `struct xucred' according to the former. This also has the pleasant sideaffect of removing some duplicate code. Reviewed by: rwatson
* Lock struct pgrp, session and sigio.tanimura2002-02-231-38/+124
| | | | | | | | | | | | | | | | | | | | | | | | | New locks are: - pgrpsess_lock which locks the whole pgrps and sessions, - pg_mtx which protects the pgrp members, and - s_mtx which protects the session members. Please refer to sys/proc.h for the coverage of these locks. Changes on the pgrp/session interface: - pgfind() needs the pgrpsess_lock held. - The caller of enterpgrp() is responsible to allocate a new pgrp and session. - Call enterthispgrp() in order to enter an existing pgrp. - pgsignal() requires a pgrp lock held. Reviewed by: jhb, alfred Tested on: cvsup.jp.FreeBSD.org (which is a quad-CPU machine running -current)
* replace the embedded cr_mtx in the ucred structure with cr_mtxp (a mutexdillon2002-02-171-9/+11
| | | | | pointer), and use the mutex pool routines. This greatly reduces the size of the ucred structure.
* If the credential on an incoming thread is correct, don't botherjulian2002-02-171-0/+21
| | | | | | | | reaquiring it. In the same vein, don't bother dropping the thread cred when goinf ot userland. We are guaranteed to nned it when we come back, (which we are guaranteed to do). Reviewed by: jhb@freebsd.org, bde@freebsd.org (slightly different version)
* - Attempt to help declutter kern. sysctl by moving security out fromarr2002-01-161-8/+7
| | | | | | beneath it. Reviewed by: rwatson
* - Push much of the logic for p_cansignal() behind cr_cansignal, whichrwatson2002-01-061-30/+45
| | | | | | | | | | | | | | | | authorized based on a subject credential rather than a subject process. This will permit the same logic to be reused in situations where only the credential generating the signal is available, such as in the delivery of SIGIO. - Because of two clauses, the automatic success against curproc, and the session semantics for SIGCONT, not all logic can be pushed into cr_cansignal(), but those cases should not apply for most other consumers of cr_cansignal(). - This brings the base system inter-process authorization code more into line with the MAC implementation. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* o A few more minor whitespace and other style fixes.rwatson2001-12-061-6/+7
| | | | Submitted by: bde
OpenPOWER on IntegriCloud