Commit Graph

153 Commits

Author SHA1 Message Date
tanimura
e2acd5cecf Push down Giant for setpgid(), setsid() and aio_daemon(). Giant protects only
malloc(9) and free(9).
2002-04-20 12:02:52 +00:00
jhb
d9a4c30c37 - Lock proctree_lock instead of pgrpsess_lock.
- Simplify return logic of setsid() and setpgid().
2002-04-16 17:06:11 +00:00
jhb
95ee443e6c - Change the algorithms of the syscalls to modify process credentials to
allocate a blank cred first, lock the process, perform checks on the
  old process credential, copy the old process credential into the new
  blank credential, modify the new credential, update the process
  credential pointer, unlock the process, and cleanup rather than trying
  to allocate a new credential after performing the checks on the old
  credential.
- Cleanup _setugid() a little bit.
- setlogin() doesn't need Giant thanks to pgrp/session locking and
  td_ucred.
2002-04-13 23:07:05 +00:00
jhb
9fa365d7d6 - Axe a stale comment. We haven't allowed the ucred pointer passed to
securelevel_*() to be NULL for a while now.
- Use KASSERT() instead of if (foo) panic(); to optimize the
  !INVARIANTS case.

Submitted by:	Martin Faxer <gmh003532@brfmasthugget.se>
2002-04-03 18:35:25 +00:00
jhb
dc2e474f79 Change the suser() API to take advantage of td_ucred as well as do a
general cleanup of the API.  The entire API now consists of two functions
similar to the pre-KSE API.  The suser() function takes a thread pointer
as its only argument.  The td_ucred member of this thread must be valid
so the only valid thread pointers are curthread and a few kernel threads
such as thread0.  The suser_cred() function takes a pointer to a struct
ucred as its first argument and an integer flag as its second argument.
The flag is currently only used for the PRISON_ROOT flag.

Discussed on:	smp@
2002-04-01 21:31:13 +00:00
jhb
81ff87afc2 Whitespace only change: use ANSI function declarations instead of K&R. 2002-04-01 20:13:31 +00:00
jhb
7205e92665 Fix style bug in previous commit. 2002-04-01 17:53:42 +00:00
dillon
dc5aafeb94 Compromise for critical*()/cpu_critical*() recommit. Cleanup the interrupt
disablement assumptions in kern_fork.c by adding another API call,
cpu_critical_fork_exit().  Cleanup the td_savecrit field by moving it
from MI to MD.  Temporarily move cpu_critical*() from <arch>/include/cpufunc.h
to <arch>/<arch>/critical.c (stage-2 will clean this up).

Implement interrupt deferral for i386 that allows interrupts to remain
enabled inside critical sections.  This also fixes an IPI interlock bug,
and requires uses of icu_lock to be enclosed in a true interrupt disablement.

This is the stage-1 commit.  Stage-2 will occur after stage-1 has stabilized,
and will move cpu_critical*() into its own header file(s) + other things.
This commit may break non-i386 architectures in trivial ways.  This should
be temporary.

Reviewed by:	core
Approved by:	core
2002-03-27 05:39:23 +00:00
jhb
f89014c6f6 Use td_ucred in several trivial syscalls and remove Giant locking as
appropriate.
2002-03-22 22:32:04 +00:00
jhb
59d20d5aab Use explicit Giant locks and unlocks for rather than instrumented ones for
code that is still not safe.  suser() reads p_ucred so it still needs
Giant for the time being.  This should allow kern.giant.proc to be set
to 0 for the time being.
2002-03-22 21:02:02 +00:00
rwatson
afe2b1f929 Merge from TrustedBSD MAC branch:
Move the network code from using cr_cansee() to check whether a
    socket is visible to a requesting credential to using a new
    function, cr_canseesocket(), which accepts a subject credential
    and object socket.  Implement cr_canseesocket() so that it does a
    prison check, a uid check, and add a comment where shortly a MAC
    hook will go.  This will allow MAC policies to seperately
    instrument the visibility of sockets from the visibility of
    processes.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-03-22 19:57:41 +00:00
rwatson
ef91e0f942 Since cred never appears to be passed into the securelevel calls as
NULL, turn warning printf's into panic's, since this call has been
restructured such that a NULL cred would result in a page fault anyway.

There appears to be one case where NULL is explicitly passed in in the
sysctl code, and this is believed to be in error, so will be modified.
Securelevels now always require a credential context so that per-jail
securelevels are properly implemented.

Obtained from:	TrustedBSD Project
Sponsored by:	NAI Labs
Discussed with:	bde
2002-03-22 14:49:12 +00:00
rwatson
d8370f667d Break out the "see_other_uids" policy check from the various
method-based inter-process security checks.  To do this, introduce
a new cr_seeotheruids(u1, u2) function, which encapsulates the
"see_other_uids" logic.  Call out to this policy following the
jail security check for all of {debug,sched,see,signal} inter-process
checks.  This more consistently enforces the check, and makes the
check easy to modify.  Eventually, it may be that this check should
become a MAC policy, loaded via a module.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-03-22 02:28:26 +00:00
jhb
64bf9fe9fa - Push down Giant into crfree() in the case that we actually free a ucred.
- Add a cred_free_thread() function (conditional on DIAGNOSTICS) that drops
  a per-thread ucred reference to be used in debugging code when leaving
  the kernel.
2002-03-20 21:00:50 +00:00
tanimura
22c75bf1c9 Stop abusing the pgrpsess_lock. 2002-03-11 07:53:13 +00:00
jhb
ec01b5bdbc Temporarily lock Giant while we update td_ucred. The proc lock doesn't
fully protect p_ucred yet so Giant is needed until all the p_ucred
locking is done.  This is the original reason td_ucred was not used
immediately after its addition.  Unfortunately, not using td_ucred is
not enough to avoid problems.  Since p_ucred could be stale, we could
actually be dereferencing a stale pointer to dink with the refcount, so
we really need Giant to avoid foot-shooting.  This allows td_ucred to
be safely used as well.
2002-02-27 18:30:01 +00:00
tanimura
002f46389d Return ESRCH if the target process is not inferior to the curproc.
Spotted by:	HIROSHI OOTA <oota@LSi.nec.co.jp>
2002-02-27 10:38:14 +00:00
dd
c8a6bd9922 Introduce a version field to `struct xucred' in place of one of the
spares (the size of the field was changed from u_short to u_int to
reflect what it really ends up being).  Accordingly, change users of
xucred to set and check this field as appropriate.  In the kernel,
this is being done inside the new cru2x() routine which takes a
`struct ucred' and fills out a `struct xucred' according to the
former.  This also has the pleasant sideaffect of removing some
duplicate code.

Reviewed by:	rwatson
2002-02-27 04:45:37 +00:00
tanimura
a09da29859 Lock struct pgrp, session and sigio.
New locks are:

- pgrpsess_lock which locks the whole pgrps and sessions,
- pg_mtx which protects the pgrp members, and
- s_mtx which protects the session members.

Please refer to sys/proc.h for the coverage of these locks.

Changes on the pgrp/session interface:

- pgfind() needs the pgrpsess_lock held.

- The caller of enterpgrp() is responsible to allocate a new pgrp and
  session.

- Call enterthispgrp() in order to enter an existing pgrp.

- pgsignal() requires a pgrp lock held.

Reviewed by:	jhb, alfred
Tested on:	cvsup.jp.FreeBSD.org
		(which is a quad-CPU machine running -current)
2002-02-23 11:12:57 +00:00
dillon
683d9b041d replace the embedded cr_mtx in the ucred structure with cr_mtxp (a mutex
pointer), and use the mutex pool routines.  This greatly reduces the size
of the ucred structure.
2002-02-17 07:30:34 +00:00
julian
abe785e035 If the credential on an incoming thread is correct, don't bother
reaquiring it. In the same vein, don't bother dropping the thread cred
when goinf ot userland. We are guaranteed to nned it when we come back,
(which we are guaranteed to do).

Reviewed by:	jhb@freebsd.org, bde@freebsd.org (slightly different version)
2002-02-17 01:09:56 +00:00
arr
1ae1e4e3f2 - Attempt to help declutter kern. sysctl by moving security out from
beneath it.

Reviewed by: rwatson
2002-01-16 06:55:30 +00:00
rwatson
6b7ac7804d - Push much of the logic for p_cansignal() behind cr_cansignal, which
authorized based on a subject credential rather than a subject process.
  This will permit the same logic to be reused in situations where only
  the credential generating the signal is available, such as in the
  delivery of SIGIO.
- Because of two clauses, the automatic success against curproc,
  and the session semantics for SIGCONT, not all logic can be pushed
  into cr_cansignal(), but those cases should not apply for most other
  consumers of cr_cansignal().
- This brings the base system inter-process authorization code more
  into line with the MAC implementation.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2002-01-06 00:20:12 +00:00
rwatson
7769631069 o A few more minor whitespace and other style fixes.
Submitted by:	bde
2001-12-06 21:58:47 +00:00
rwatson
751c41df3a o Remove unnecessary inclusion of opt_global.h.
Submitted by:	bde
2001-12-06 21:55:41 +00:00
rwatson
754ad10054 o Make kern.security.bsd.suser_enabled TUNABLE.
Requested by:	green
2001-12-05 18:49:20 +00:00
rwatson
fb311b7cce o Update an instance of 'unprivileged_procdebug_permitted' missed
in the previous commit: the comment should also call it
  'unprivileged_proc_debug'.
2001-12-03 19:10:21 +00:00
rwatson
b5de442911 o Introduce pr_mtx into struct prison, providing protection for the
mutable contents of struct prison (hostname, securelevel, refcount,
  pr_linux, ...)
o Generally introduce mtx_lock()/mtx_unlock() calls throughout kern/
  so as to enforce these protections, in particular, in kern_mib.c
  protection sysctl access to the hostname and securelevel, as well as
  kern_prot.c access to the securelevel for access control purposes.
o Rewrite linux emulator abstractions for accessing per-jail linux
  mib entries (osname, osrelease, osversion) so that they don't return
  a pointer to the text in the struct linux_prison, rather, a copy
  to an array passed into the calls.  Likewise, update linprocfs to
  use these primitives.
o Update in_pcb.c to always use prison_getip() rather than directly
  accessing struct prison.

Reviewed by:	jhb
2001-12-03 16:12:27 +00:00
rwatson
de0f8b15da o Uniformly copy uap arguments into local variables before grabbing
giant, and make whitespace more consistent around giant-frobbing.
2001-12-02 15:22:56 +00:00
rwatson
dbe003dc3e o Remove KSE race in setuid() in which oldcred was preserved before giant
was grabbed.  This was introduced in 1.101 when the giant pushdown
  for kern_prot.c was originally performed.
2001-12-02 15:15:29 +00:00
rwatson
8b2ab77900 o General style, formatting, etc, improvements:
- uid's -> uids
	- whitespace improvements, linewrap improvements
	- reorder copyright more appropriately
	- remove redundant MP SAFE comments, add one "NOT MPSAFE?"
	  for setgroups(), which seems to be the sole un-changed system
	  call in the file.
	- clean up securelevel_g?() functions, improve comments.

Largely submitted by:	bde
2001-12-02 15:07:10 +00:00
rwatson
68b9d3708b o Further sysctl name simplification, generally stripping 'permitted',
using '_'s more consistently.

Discussed with:	bde, jhb
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2001-11-30 21:33:16 +00:00
rwatson
e92874bd10 o Move current inhabitants of kern.security to kern.security.bsd, so
that new models can inhabit kern.security.<modelname>.
o While I'm there, shorten somewhat excessive variable names, and clean
  things up a little.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, NAI Labs
2001-11-30 20:58:31 +00:00
jhb
c7338726d9 Clean up breakage in inferior() I introduced in 1.92 of kern_proc.c:
- Restore inferior() to being iterative rather than recursive.
- Assert that the proctree_lock is held in inferior() and change the one
  caller to get a shared lock of it.  This also ensures that we hold the
  lock after performing the check so the check can't be made invalid out
  from under us after the check but before we act on it.

Requested by:	bde
2001-11-12 18:56:49 +00:00
rwatson
6422aec2e5 o Introduce group subset test, which limits the ability of a process to
debug another process based on their respective {effective,additional,
  saved,real} gid's.  p1 is only permitted to debug p2 if its effective
  gids (egid + additional groups) are a strict superset of the gids of
  p2.  This implements properly the security test previously incorrectly
  implemented in kern_ktrace.c, and is consistent with the kernel
  security policy (although might be slightly confusing for those more
  familiar with the userland policy).
o Restructure p_candebug() logic so that various results are generated
  comparing uids, gids, credential changes, and then composed in a
  single check before testing for privilege.  These tests encapsulate
  the "BSD" inter-process debugging policy.  Other non-BSD checks remain
  seperate.  Additional comments are added.

Submitted by:   tmm, rwatson
Obtained from:  TrustedBSD Project
Reviewed by:    petef, tmm, rwatson
2001-11-02 18:44:50 +00:00
rwatson
41e6d511f2 o Add a comment to p_candebug() noting that the P_INEXEC check should
really be moved elsewhere: p_candebug() encapsulates the security
  policy decision, whereas the P_INEXEC check has to do with "correctness"
  regarding race conditions, rather than security policy.

  Example: even if no security protections were enforced (the "uids are
  advisory" model), removing P_INEXEC could result in incorrect operation
  due to races on credential evaluation and modification during execve().

Obtained from:	TrustedBSD Project
2001-11-02 16:41:06 +00:00
rwatson
77a36a51e4 o Capabilities cap_check() interface revised to remove _xxx, so rename
in p_cansched().  Also, replace '0' with 'NULL' for the ucred * pointer.

Obtained from:	TrustedBSD Project
2001-11-02 15:08:08 +00:00
des
6f69985e93 Add a P_INEXEC flag that indicates that the process has called execve() and
it has not yet returned.  Use this flag to deny debugging requests while
the process is execve()ing, and close once and for all any race conditions
that might occur between execve() and various debugging interfaces.

Reviewed by:	jhb, rwatson
2001-10-27 11:11:25 +00:00
dillon
ed9248e644 Add mtx_lock_giant() and mtx_unlock_giant() wrappers for sysctl management
of Giant during the Giant unwinding phase, and start work on instrumenting
Giant for the file and proc mutexes.

These wrappers allow developers to turn on and off Giant around various
subsystems.  DEVELOPERS SHOULD NEVER TURN OFF GIANT AROUND A SUBSYSTEM JUST
BECAUSE THE SYSCTL EXISTS!  General developers should only considering
turning on Giant for a subsystem whos default is off (to help track down
bugs).  Only developers working on particular subsystems who know what
they are doing should consider turning off Giant.

These wrappers will greatly improve our ability to unwind Giant and test
the kernel on a (mostly) subsystem by subsystem basis.   They allow Giant
unwinding developers (GUDs) to emplace appropriate subsystem and structural
mutexes in the main tree and then request that the larger community test
the work by turning off Giant around the subsystem(s), without the larger
community having to mess around with patches.  These wrappers also allow
GUDs to boot into a (more likely to be) working system in the midst of
their unwinding work and to test that work under more controlled
circumstances.

There is a master sysctl, kern.giant.all, which defaults to 0 (off).  If
turned on it overrides *ALL* other kern.giant sysctls and forces Giant to
be turned on for all wrapped subsystems.  If turned off then Giant around
individual subsystems are controlled by various other kern.giant.XXX sysctls.

Code which overlaps multiple subsystems must have all related subsystem Giant
sysctls turned off in order to run without Giant.
2001-10-26 20:48:04 +00:00
jhb
4806d88677 Change the kernel's ucred API as follows:
- crhold() returns a reference to the ucred whose refcount it bumps.
- crcopy() now simply copies the credentials from one credential to
  another and has no return value.
- a new crshared() primitive is added which returns true if a ucred's
  refcount is > 1 and false (0) otherwise.
2001-10-11 23:38:17 +00:00
jhb
9f68054d87 Whitespace fixes. 2001-10-11 22:49:27 +00:00
jhb
76f1acef67 Rework some code to be a bit simpler by inverting a few tests and using
else clauses instead of goto's.
2001-10-11 22:48:37 +00:00
jhb
63fe581848 Add a temporary hack that will go away with the ucred API update to bzero
the duplicated mutex before initializing it to avoid triggering the check
for init'ing an already initialized mutex.
2001-10-10 20:45:40 +00:00
rwatson
f51eaee62f - Combine kern.ps_showallprocs and kern.ipc.showallsockets into
a single kern.security.seeotheruids_permitted, describes as:
  "Unprivileged processes may see subjects/objects with different real uid"
  NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is
  an API change.  kern.ipc.showallsockets does not.
- Check kern.security.seeotheruids_permitted in cr_cansee().
- Replace visibility calls to socheckuid() with cr_cansee() (retain
  the change to socheckuid() in ipfw, where it is used for rule-matching).
- Remove prison_unpcb() and make use of cr_cansee() against the UNIX
  domain socket credential instead of comparing root vnodes for the
  UDS and the process.  This allows multiple jails to share the same
  chroot() and not see each others UNIX domain sockets.
- Remove unused socheckproc().

Now that cr_cansee() is used universally for socket visibility, a variety
of policies are more consistently enforced, including uid-based
restrictions and jail-based restrictions.  This also better-supports
the introduction of additional MAC models.

Reviewed by:	ps, billf
Obtained from:	TrustedBSD Project
2001-10-09 21:40:30 +00:00
rwatson
5157966d63 o Recent addition of (p1==p2) exception in p_candebug() permitted
processes to attach debugging to themselves even though the
  global kern_unprivileged_procdebug_permitted policy might disallow
  this.
o Move the kern_unprivileged_procdebug_permitted check above the
  (p1==p2) check.

Reviewed by:	des
2001-10-09 16:56:29 +00:00
des
6eea6dc1d4 Always succeed if the target process is the same as the requesting process. 2001-10-07 20:06:03 +00:00
rwatson
c3b8575001 o When performing a securelevel check as part of securelevel_ge() or
securelevel_gt(), determine first if a local securelevel exists --
  if so, perform the check based on imax(local, global).  Otherwise,
  simply use the global value.
o Note: even though local securelevels might lag below the global one,
  if the global value is updated to higher than local values, maximum
  will still be used, making the global dominant even if there is local
  lag.

Obtained from:	TrustedBSD Project
2001-09-26 20:41:48 +00:00
rwatson
0ae354be64 o So, when <dd> e-mailed me and said that the comment was inverted
for securelevel_ge() and securelevel_gt(), I was a little surprised,
  but fixed it.  Turns out that it was the code that was inverted, during
  a whitespace cleanup in my commit tree.  This commit inverts the
  checks, and restores the comment.
2001-09-25 21:08:33 +00:00
rwatson
7a4775391d o Rename u_cansee() to cr_cansee(), making the name more comprehensible
in the face of a rename of ucred to cred, and possibly generally.

Obtained from:	TrustedBSD Project
2001-09-20 21:45:31 +00:00
rwatson
e2fc11e60b o Clarification of securelevel_{ge,gt} comment.
Submitted by:	dd
2001-09-19 14:09:13 +00:00