Mercurial > illumos > fmac
changeset 7864:f40998e41fac
Mediate access to proc vnodes
Mediate access to the proc vnodes of another process.
We will need further hooks elsewhere for complete coverage, e.g.
praccess() allows certain proc files to be read by anyone.
Result of running "truss passwd" as a root process running in the
unprivileged user_t domain:
avc: denied { ptrace } for
scontext=system_u:system_r:user_t:unclassified
tcontext=system_u:system_r:passwd_t:unclassified tclass=process
pid=100779 comm=truss
| author | Stephen Smalley <sds@tycho.nsa.gov> |
|---|---|
| date | Mon, 15 Sep 2008 08:30:57 -0400 |
| parents | d1beae49542c |
| children | 831da5fa2b03 |
| files | usr/src/uts/common/fmac/fmac.c usr/src/uts/common/os/priv.c usr/src/uts/common/sys/fmac/fmac.h |
| diffstat | 3 files changed, 15 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/fmac/fmac.c Fri Sep 12 13:45:33 2008 -0400 +++ b/usr/src/uts/common/fmac/fmac.c Mon Sep 15 08:30:57 2008 -0400 @@ -416,3 +416,12 @@ AVC_AUDIT_DATA_INIT(&ad, DONTAUDIT); return (avc_has_perm_audit(cr_secid, vp->v_secid, sclass, av, &ad)); } + +int +fmac_priv_proc_cred_perm(const cred_t *scr, cred_t *tcr, int mode) +{ + if (!fmac_enabled) + return (0); + return (avc_has_perm(crgetsecid((cred_t *)scr), crgetsecid(tcr), + SECCLASS_PROCESS, PROCESS__PTRACE)); +}
--- a/usr/src/uts/common/os/priv.c Fri Sep 12 13:45:33 2008 -0400 +++ b/usr/src/uts/common/os/priv.c Mon Sep 15 08:30:57 2008 -0400 @@ -56,6 +56,7 @@ #include <sys/priv_impl.h> #include <sys/procfs.h> #include <sys/policy.h> +#include <sys/fmac/fmac.h> #include <sys/cred_impl.h> #include <sys/devpolicy.h> #include <sys/atomic.h> @@ -605,9 +606,12 @@ if (!priv_issubset(&CR_IPRIV(tcr), eset) || !priv_issubset(&CR_OPPRIV(tcr), eset) || !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) || - !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0) + !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0) { res = EACCES; + goto out; + } + res = fmac_priv_proc_cred_perm(scr, tcr, mode); out: if (res == 0 && pcr != NULL) *pcr = tcr;
--- a/usr/src/uts/common/sys/fmac/fmac.h Fri Sep 12 13:45:33 2008 -0400 +++ b/usr/src/uts/common/sys/fmac/fmac.h Mon Sep 15 08:30:57 2008 -0400 @@ -94,6 +94,7 @@ int fmac_exec(cred_t *cr, vnode_t *vp, boolean_t *setsecid, security_id_t *prev_secidp, security_id_t *secidp); int fmac_vnode_access(vnode_t *, int, int, cred_t *, boolean_t); +int fmac_priv_proc_cred_perm(const cred_t *scr, cred_t *tcr, int mode); #endif /* _KERNEL */ #ifdef __cplusplus