Mercurial > illumos > fmac

--- a/usr/src/uts/common/fmac/fmac.c	Mon Sep 15 08:30:57 2008 -0400
+++ b/usr/src/uts/common/fmac/fmac.c	Tue Sep 16 14:54:50 2008 -0400
@@ -333,7 +333,7 @@

 int
 fmac_exec(cred_t *cr, vnode_t *vp, boolean_t *setsecid,
-    security_id_t *prev_secidp, security_id_t *secidp)
+    boolean_t *execsetid, security_id_t *prev_secidp, security_id_t *secidp)
 {
 	security_id_t prev_secid, secid;
 	int error;
@@ -355,6 +355,7 @@
 		    FILE__EXECUTE_NO_TRANS);
 		if (error)
 			return (error);
+		*execsetid = B_FALSE;
 		*setsecid = B_FALSE;
 		return (0);
 	}
@@ -368,6 +369,14 @@
 	    FILE__ENTRYPOINT);
 	if (error)
 		return (error);
+
+	error = avc_has_perm(prev_secid, secid, SECCLASS_PROCESS,
+	    PROCESS__EXECSETID);
+	if (error)
+		*execsetid = B_TRUE;
+	else
+		*execsetid = B_FALSE;
+
 	*setsecid = B_TRUE;
 	*prev_secidp = prev_secid;
 	*secidp = secid;
@@ -420,6 +429,8 @@
 int
 fmac_priv_proc_cred_perm(const cred_t *scr, cred_t *tcr, int mode)
 {
+	_NOTE(ARGUNUSED(mode));	/* todo:  distinguish read vs. write? */
+
 	if (!fmac_enabled)
 		return (0);
 	return (avc_has_perm(crgetsecid((cred_t *)scr), crgetsecid(tcr),
--- a/usr/src/uts/common/os/exec.c	Mon Sep 15 08:30:57 2008 -0400
+++ b/usr/src/uts/common/os/exec.c	Tue Sep 16 14:54:50 2008 -0400
@@ -524,7 +524,7 @@
 	ssize_t resid;
 	uid_t uid, gid;
 	security_id_t prev_secid, secid;
-	boolean_t setsecid = B_FALSE;
+	boolean_t setsecid = B_FALSE, fmac_execsetid = B_FALSE;
 	struct vattr vattr;
 	char magbuf[MAGIC_BYTES];
 	int setid;
@@ -568,7 +568,8 @@
 	if (level == 0) {
 		privflags = execsetid(vp, &vattr, &uid, &gid);

-		error = fmac_exec(CRED(), vp, &setsecid, &prev_secid, &secid);
+		error = fmac_exec(CRED(), vp, &setsecid, &fmac_execsetid,
+		    &prev_secid, &secid);
 		if (error)
 			goto bad;

@@ -673,6 +674,9 @@
 	if (setid & PRIV_INCREASE)
 		setidfl |= EXECSETID_PRIVS;

+	if (fmac_execsetid)
+		setidfl |= EXECSETID_UGIDS;
+
 	error = (*eswp->exec_func)(vp, uap, args, idatap, level, execsz,
 	    setidfl, exec_file, cred, brand_action);
 	rw_exit(eswp->exec_lock);
--- a/usr/src/uts/common/sys/fmac/fmac.h	Mon Sep 15 08:30:57 2008 -0400
+++ b/usr/src/uts/common/sys/fmac/fmac.h	Tue Sep 16 14:54:50 2008 -0400
@@ -92,7 +92,7 @@
     security_id_t *);
 void fmac_vnode_post_create(vnode_t *, security_id_t);
 int fmac_exec(cred_t *cr, vnode_t *vp, boolean_t *setsecid,
-    security_id_t *prev_secidp, security_id_t *secidp);
+    boolean_t *execsetid, security_id_t *prev_secidp, security_id_t *secidp);
 int fmac_vnode_access(vnode_t *, int, int, cred_t *, boolean_t);
 int fmac_priv_proc_cred_perm(const cred_t *scr, cred_t *tcr, int mode);
 #endif /* _KERNEL */