sysent: allow ABI to disable setid on exec.

Reviewed by: dchagin Tested by: trasz MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D28154
2021-01-14 15:38:29 +02:00 · 2021-01-14 15:38:29 +02:00 · 2d423f7671
commit 2d423f7671
parent 19e6043a44
2 changed files with 6 additions and 0 deletions
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@ -778,6 +778,10 @@ do_execve(struct thread *td, struct image_args *args, struct mac *mac_p,
 		signotify(td);
 	}

+	if (imgp->sysent->sv_setid_allowed != NULL &&
+	    !(*imgp->sysent->sv_setid_allowed)(td, imgp))
+		execve_nosetid(imgp);
+
 	/*
 	 * Implement image setuid/setgid installation.
 	 */
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@ -148,6 +148,8 @@ struct sysentvec {
 	void		(*sv_onexec)(struct proc *, struct image_params *);
 	void		(*sv_onexit)(struct proc *);
 	void		(*sv_ontdexit)(struct thread *td);
+	bool		(*sv_setid_allowed)(struct thread *td,
+			    struct image_params *imgp);
 };

 #define	SV_ILP32	0x000100	/* 32-bit executable. */