linuxolator: Add compat.linux.setid_allowed knob

PR: 21463 Reported by: kris Reviewed by: dchagin Tested by: trasz Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D28154
2021-01-14 15:51:52 +02:00 · 2021-01-14 15:51:52 +02:00 · 598f6fb49c
commit 598f6fb49c
parent 2d423f7671
7 changed files with 33 additions and 1 deletions
--- a/share/man/man4/linux.4
+++ b/share/man/man4/linux.4
@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 5, 2020
+.Dd May 6, 2021
 .Dt LINUX 4
 .Os
 .Sh NAME
@ -130,6 +130,18 @@ From a user perspective, this makes
 .Va SIGINFO
 work for Linux executables.
 Defaults to 0.
+.It Va compat.linux.setid_allowed
+Disable handling of set-user-ID and set-group-ID mode bits for the new
+process image file when image is to be executed under Linux ABI.
+When set, new Linux images always use credentials of the program
+that issued
+.Xr execve 2
+call, regardless of the image file mode.
+.Pp
+This might be reasonable or even required, because
+.Fx
+does not emulate Linux environment completely, and missed features
+could become holes.
 .El
 .Sh FILES
 .Bl -tag -width /compat/linux/dev/shm -compact
--- a/sys/amd64/linux/linux_sysvec.c
+++ b/sys/amd64/linux/linux_sysvec.c
@ -764,6 +764,7 @@ struct sysentvec elf_linux_sysvec = {
 	.sv_onexec	= linux_on_exec,
 	.sv_onexit	= linux_on_exit,
 	.sv_ontdexit	= linux_thread_dtor,
+	.sv_setid_allowed = &linux_setid_allowed_query,
 };

 static void
--- a/sys/amd64/linux32/linux32_sysvec.c
+++ b/sys/amd64/linux32/linux32_sysvec.c
@ -931,6 +931,7 @@ struct sysentvec elf_linux_sysvec = {
 	.sv_onexec	= linux_on_exec,
 	.sv_onexit	= linux_on_exit,
 	.sv_ontdexit	= linux_thread_dtor,
+	.sv_setid_allowed = &linux_setid_allowed_query,
 };

 static void
--- a/sys/arm64/linux/linux_sysvec.c
+++ b/sys/arm64/linux/linux_sysvec.c
@ -443,6 +443,7 @@ struct sysentvec elf_linux_sysvec = {
 	.sv_onexec	= linux_on_exec,
 	.sv_onexit	= linux_on_exit,
 	.sv_ontdexit	= linux_thread_dtor,
+	.sv_setid_allowed = &linux_setid_allowed_query,
 };

 static void
--- a/sys/compat/linux/linux_mib.c
+++ b/sys/compat/linux/linux_mib.c
@ -99,6 +99,18 @@ int linux_use_emul_path = 1;
 SYSCTL_INT(_compat_linux, OID_AUTO, use_emul_path, CTLFLAG_RWTUN,
    &linux_use_emul_path, 0, "Use linux.compat.emul_path");

+static bool linux_setid_allowed = true;
+SYSCTL_BOOL(_compat_linux, OID_AUTO, setid_allowed, CTLFLAG_RWTUN,
+    &linux_setid_allowed, 0,
+    "Allow setuid/setgid on execve of Linux binary");
+
+bool
+linux_setid_allowed_query(struct thread *td __unused,
+    struct image_params *imgp __unused)
+{
+	return (linux_setid_allowed);
+}
+
 static int	linux_set_osname(struct thread *td, char *osname);
 static int	linux_set_osrelease(struct thread *td, char *osrelease);
 static int	linux_set_oss_version(struct thread *td, int oss_version);
--- a/sys/compat/linux/linux_mib.h
+++ b/sys/compat/linux/linux_mib.h
@ -71,4 +71,7 @@ extern int linux_ignore_ip_recverr;
 extern int linux_preserve_vstatus;
 extern bool linux_map_sched_prio;

+struct image_params;
+bool linux_setid_allowed_query(struct thread *td, struct image_params *imgp);
+
 #endif /* _LINUX_MIB_H_ */
--- a/sys/i386/linux/linux_sysvec.c
+++ b/sys/i386/linux/linux_sysvec.c
@ -871,6 +871,7 @@ struct sysentvec linux_sysvec = {
 	.sv_onexec	= linux_on_exec,
 	.sv_onexit	= linux_on_exit,
 	.sv_ontdexit	= linux_thread_dtor,
+	.sv_setid_allowed = &linux_setid_allowed_query,
 };
 INIT_SYSENTVEC(aout_sysvec, &linux_sysvec);

@ -908,6 +909,7 @@ struct sysentvec elf_linux_sysvec = {
 	.sv_onexec	= linux_on_exec,
 	.sv_onexit	= linux_on_exit,
 	.sv_ontdexit	= linux_thread_dtor,
+	.sv_setid_allowed = &linux_setid_allowed_query,
 };

 static void