Mercurial > illumos > fmac
changeset 7888:dc5a88b1d093
Fix setting of prev_secid
prev_secid is supposed to track the security context prior to the last
exec so that applications can get the context of their caller using
getprevcon(). This requires the prev_secid to be updated at times other
than when the secid is changing. This patch changes the fmac_exec() and
gexec() logic accordingly to ensure that the prev_secid is updated as
needed. In the case where the prior exec was a secid transition and the
current exec is not changing credentials, this requires a new cred in
order to update the prev_secid. We may migrate the prev_secid out of
the cred and into a per-process structure (as in Linux) in the future.
Webrev at: http://cr.opensolaris.org/~sds/prevsecid/
author | Stephen Smalley <sds@tycho.nsa.gov> |
---|---|
date | Fri, 17 Oct 2008 13:28:56 -0400 |
parents | f9ded24b041a |
children | da5be6cc4191 |
files | usr/src/uts/common/fmac/fmac.c usr/src/uts/common/os/exec.c |
diffstat | 2 files changed, 5 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/fmac/fmac.c Fri Oct 17 13:28:50 2008 -0400 +++ b/usr/src/uts/common/fmac/fmac.c Fri Oct 17 13:28:56 2008 -0400 @@ -583,6 +583,7 @@ return (error); *execsetid = B_FALSE; *setsecid = B_FALSE; + *prev_secidp = *secidp = secid; return (0); }
--- a/usr/src/uts/common/os/exec.c Fri Oct 17 13:28:50 2008 -0400 +++ b/usr/src/uts/common/os/exec.c Fri Oct 17 13:28:56 2008 -0400 @@ -580,8 +580,8 @@ if (level == 0 && privflags != 0) { newcred = cred = crdup(cred); + cred->cr_prev_secid = prev_secid; if (setsecid) { - cred->cr_prev_secid = prev_secid; cred->cr_secid = secid; cred->cr_exec_secid = SECSID_NULL; } @@ -623,6 +623,9 @@ CR_EPRIV(cred) = CR_PPRIV(cred) = CR_IPRIV(cred); priv_adjust_PA(cred); } + } else if (level == 0 && cred->cr_prev_secid != prev_secid) { + newcred = cred = crdup(cred); + cred->cr_prev_secid = prev_secid; } /* SunOS 4.x buy-back */