Commit Graph

65 Commits

Author SHA1 Message Date
delphij
466c8cbf48 Test if 'env' is NULL before doing memset() and strlen(),
the caller may pass NULL to freeenv().
2014-10-23 18:23:50 +00:00
cperciva
93829a91a2 Avoid leaking data from the kernel environment: When we convert the
initial static environment to a dynamic one, zero the static environment
buffer, and zero individual values when kern_unsetenv and freeenv are
called.

Tested by:	kmoore (VM memory dump + grep)
Tested by:	cperciva (kernel panic dump + grep)
2014-10-22 23:35:32 +00:00
davide
e88bd26b3f Follow up to r225617. In order to maximize the re-usability of kernel code
in userland rename in-kernel getenv()/setenv() to kern_setenv()/kern_getenv().
This fixes a namespace collision with libc symbols.

Submitted by:   kmacy
Tested by:      make universe
2014-10-16 18:04:43 +00:00
mav
b8e600624b Make getenv_*() functions and respectively TUNABLE_*_FETCH() macros not
allocate memory and so not require sleepable environment.  getenv() has
already used on-stack temporary storage, so just use it more rationally.
getenv_string() receives buffer as argument, so don't need another one.
2013-11-01 10:32:33 +00:00
imp
761f4524d4 r249408 and r249436 cause a NULL pointer dereference on the CUBIEBOARD
since it doesn't set the kernel envrionment at all. Work around this
by making sure kern_envp is non-NULL before dereferencing it.
2013-04-16 22:09:08 +00:00
jchandra
33ed81146c Fix changes made in r249408.
In some cases, kern_envp is set by the architecture code and env_pos does
not contain the length of the static kernel environment. In these cases
r249408 causes the kernel to discard the environment.

Fix this by updating the check for empty static env to *kern_envp != '\0'

Reported by:	np@
2013-04-13 07:23:37 +00:00
jchandra
b9f386539e Fix kenv behavior when there is no static environment
In case where there are no static kernel environment entries, the
function init_dynamic_kenv() adds an incorrect entry at position 0 of
the dynamic kernel environment. This in turn causes kenv(1) to print
and empty list even though there are dynamic entries added later.

Fix this by checking env_pos in init_dynamic_kenv() and adding dynamic
entries only if there are static entries.
2013-04-12 15:58:53 +00:00
jh
6e556a5317 Reserve room for the terminating NUL when setting or getting kernel
environment variables. KENV_MNAMELEN and KENV_MVALLEN doesn't include
space for the terminating NUL.
2012-08-14 19:16:30 +00:00
kmacy
99851f359e In order to maximize the re-usability of kernel code in user space this
patch modifies makesyscalls.sh to prefix all of the non-compatibility
calls (e.g. not linux_, freebsd32_) with sys_ and updates the kernel
entry points and all places in the code that use them. It also
fixes an additional name space collision between the kernel function
psignal and the libc function of the same name by renaming the kernel
psignal kern_psignal(). By introducing this change now we will ease future
MFCs that change syscalls.

Reviewed by:	rwatson
Approved by:	re (bz)
2011-09-16 13:58:51 +00:00
jh
fbe30c6e5c In init_dynamic_kenv(), ignore environment strings exceeding the
KENV_MNAMELEN + 1 + KENV_MVALLEN + 1 length limit to avoid buffer
overflow in getenv(). Currenly loader(8) doesn't limit the length of
environment strings.

PR:		kern/132104
MFC after:	1 month
2011-05-23 16:40:44 +00:00
jh
264f4e742a To avoid duplicated warning, move WITNESS_WARN() added in r221597 to the
branch which doesn't call malloc(9).

Suggested by:	kib
2011-05-07 17:59:07 +00:00
jh
f428a5f2b3 Add WITNESS_WARN() to getenv() to explicitly note that the function may
sleep. This helps to expose bugs when the requested environment variable
doesn't exist.
2011-05-07 11:10:58 +00:00
imp
25563df1b0 Merge change r198561 from projects/mips to head:
r198561 | thompsa | 2009-10-28 15:25:22 -0600 (Wed, 28 Oct 2009) | 4 lines
Allow a scratch buffer to be set in order to be able to use setenv() while
booting, before dynamic kenv is running. A few platforms implement their own
scratch+sprintf handling to save data from the boot environment.
2010-01-10 22:34:18 +00:00
rwatson
f4934662e5 Move "options MAC" from opt_mac.h to opt_global.h, as it's now in GENERIC
and used in a large number of files, but also because an increasing number
of incorrect uses of MAC calls were sneaking in due to copy-and-paste of
MAC-aware code without the associated opt_mac.h include.

Discussed with:	pjd
2009-06-05 14:55:22 +00:00
cperciva
b7238dced4 Correctly sanity-check timer IDs. [SA-09:06]
Limit the size of malloced buffer when dumping environment
variables. [EN-09:01]

Approved by:	so (cperciva)
Approved by:	re (kensmith)
Security:	FreeBSD-SA-09:06.ktimer
Errata:		FreeBSD-EN-09:01.kenv
2009-03-23 00:00:50 +00:00
pjd
9d11b5b5b3 Implement the following macros for completeness:
SYSCTL_QUAD()
	SYSCTL_ADD_QUAD()
	TUNABLE_QUAD()
	TUNABLE_QUAD_FETCH()

Now we can use 64bit tunables on 32bit systems.
2008-07-21 15:05:25 +00:00
rwatson
60570a92bf Merge first in a series of TrustedBSD MAC Framework KPI changes
from Mac OS X Leopard--rationalize naming for entry points to
the following general forms:

  mac_<object>_<method/action>
  mac_<object>_check_<method/action>

The previous naming scheme was inconsistent and mostly
reversed from the new scheme.  Also, make object types more
consistent and remove spaces from object types that contain
multiple parts ("posix_sem" -> "posixsem") to make mechanical
parsing easier.  Introduce a new "netinet" object type for
certain IPv4/IPv6-related methods.  Also simplify, slightly,
some entry point names.

All MAC policy modules will need to be recompiled, and modules
not updates as part of this commit will need to be modified to
conform to the new KPI.

Sponsored by:	SPARTA (original patches against Mac OS X)
Obtained from:	TrustedBSD Project, Apple Computer
2007-10-24 19:04:04 +00:00
des
73606ae492 I don't know what I was smoking when I wrote these three years ago; the
return value is an error code, hence always an int.

While I'm here, add getenv_uint() for completeness.
2007-10-13 11:30:19 +00:00
rwatson
69938bd196 Further system call comment cleanup:
- Remove also "MP SAFE" after prior "MPSAFE" pass. (suggested by bde)
- Remove extra blank lines in some cases.
- Add extra blank lines in some cases.
- Remove no-op comments consisting solely of the function name, the word
  "syscall", or the system call name.
- Add punctuation.
- Re-wrap some comments.
2007-03-05 13:10:58 +00:00
rwatson
10d0d9cf47 Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
rwatson
7beaaf5cd2 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
scottl
483a18cd99 Use a sleep mutex instead of an sx lock for the kernel environment. This
allows greater flexibility for drivers that want to query the environment.

Reviewed by: jhb, mux
2006-07-09 21:42:58 +00:00
netchild
2d68e8809d Fix memory leak introduced in previous revision.
Discussed with:	phk
2006-03-15 19:23:08 +00:00
phk
b7db2706e8 Ignore kenv strings which overflow the room we have, rather than pretend
we have room for them.
2006-03-09 09:29:41 +00:00
davidxu
fa2166ed09 Reorder statements to avoid accessing unknown memory.
In theory, invoking kenv with very long string can panic
kernel.
2005-09-26 14:14:55 +00:00
netchild
5d0bbfe29c Add bounds checking to the setenv part of the kernel environment.
This has no security implications since only root is allowed to use
kenv(1) (and corrupt the kernel memory after adding too much variables
previous to this commit).

This is based upon the PR [1] mentioned below, but extended to check both
bounds (in case of an overflow of the counting variable) and to comply
to the style of the function. An overflow of the counting variable
shouldn't happen after adding the check for the upper bound, but better
safe than sorry (in case some other function in the kernel overwrites
random memory).

An interested soul may want to add a printf to notify root in case the
bounds are hit.

Also allocate KENV_SIZE+1 entries (the array is NULL-terminated), since
the comment for KENV_SIZE says it's the maximum number of environment
strings. [2]

PR:		83687 [1]
Submitted by:	Harry Coin <harrycoin@qconline.com> [1]
Submitted by:	Ariff Abdullah <skywizard@MyBSD.org.my> [2]
2005-07-31 10:28:35 +00:00
des
21bc3da176 My addled brains didn't realize that since vtp points into value, we
can't freeenv(value) before we're done inspecting vtp[0].

Tested by:	Anish Mistry <mistry.7@osu.edu>
2005-03-09 12:16:45 +00:00
des
92b3a60f35 Teach getenv_quad() to recognize k/m/g/t suffixes in both lower- and
upper-case.  This means (almost) all tunables now support those suffixes.
2005-03-05 15:52:12 +00:00
phk
13100c3699 Make a bunch of malloc types static.
Found by:	src/tools/tools/kernxref
2005-02-10 12:02:37 +00:00
des
fe29d052b3 Retire TUNABLE_QUAD_*. 2004-11-08 18:22:22 +00:00
des
22d75b597a Add TUNABLE_LONG and TUNABLE_ULONG, and use the latter for the
hw.pci.host_mem_start tunable.  Add comments to TUNABLE_INT and
TUNABLE_QUAD recommending against their use.

MFC after:	3 weeks
2004-10-31 15:50:33 +00:00
das
9df402daa4 If the buffer supplied to kenv(KENV_DUMP, ...) isn't big enough,
return the number of bytes needed instead of 0.  The manpage claims
that we do this anyway.
2004-04-28 01:27:33 +00:00
obrien
3b8fff9e4c Use __FBSDID(). 2003-06-11 00:56:59 +00:00
imp
cf874b345d Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
alfred
bf8e8a6e8f Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
alfred
7b7fa13344 remove syscallarg().
Suggested by: peter
2002-12-14 02:07:32 +00:00
alfred
d070c0a52d SCARGS removal take II. 2002-12-14 01:56:26 +00:00
alfred
4f48184fb2 Backout removal SCARGS, the code freeze is only "selectively" over. 2002-12-13 22:41:47 +00:00
alfred
d19b4e039d Remove SCARGS.
Reviewed by: md5
2002-12-13 22:27:25 +00:00
rwatson
61ffc1b9bb Add MAC checks for various kenv() operations: dump, get, set, unset,
permitting MAC policies to limit access to the kernel environment.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2002-11-01 20:46:53 +00:00
robert
1e0cdb534a Use strlcpy() instead of strncpy() to copy NUL terminated strings
for safety and consistency.
2002-10-17 20:03:38 +00:00
peter
84ae7c9225 Cosmetic tweaks. Try and keep the style more consistent, catch some stray
whitespace and update a comment.
2002-05-01 02:51:50 +00:00
bde
e1e6cfc088 Fixed some longstanding bugs in _getenv_static():
- malformed environment strings (ones without an '=') were not rejected.
  There shouldn't be any of these, but when the static environment is
  empty it always begins with one of these; this one should be considered
  as the terminator after the end of the environment, but it isn't.
- the comparison of the name being looked up with the name in the
  environment was fuzzy -- only the characters up to the length of the
  latter were compared, so _getenv_static("foobar") matched "foo=..."
  in the environment and everything matched "" in the empty environment.

MFC after:	3 days
2002-04-25 20:25:15 +00:00
mux
6961e47900 Avoid calling malloc() or free() while holding the
kenv lock.

Reviewed by:	jake
2002-04-17 17:51:10 +00:00
mux
a207e41bef Rework the kernel environment subsystem. We now convert the static
environment needed at boot time to a dynamic subsystem when VM is
up.  The dynamic kernel environment is protected by an sx lock.

This adds some new functions to manipulate the kernel environment :
freeenv(), setenv(), unsetenv() and testenv().  freeenv() has to be
called after every getenv() when you have finished using the string.
testenv() only tests if an environment variable is present, and
doesn't require a freeenv() call. setenv() and unsetenv() are self
explanatory.

The kenv(2) syscall exports these new functionalities to userland,
mainly for kenv(1).

Reviewed by:	peter
2002-04-17 13:06:36 +00:00
jhb
750eb154f1 Fix an inverted test csae. Success of getenv() is determined by a return
value of !NUL rather than NUL.

Submitted by:	luigi
Pointy hat to:	jhb
2001-10-25 17:22:31 +00:00
jhb
aa79b67470 - Change getenv_quad() to return an int instead of a quad_t since it
returns an success/failure code rather than the actual value.
- Add getenv_string() which copies a string from the environment to another
  string and returns true on success.
2001-10-23 22:34:36 +00:00
ps
db0d5cd641 Make MAXTSIZ, DFLDSIZ, MAXDSIZ, DFLSSIZ, MAXSSIZ, SGROWSIZ loader
tunable.

Reviewed by:	peter
MFC after:	2 weeks
2001-10-10 23:06:54 +00:00
peter
f08a3beb2e Add a pointer to kenv(1). 2001-09-21 02:25:53 +00:00
jlemon
23a6296f66 Revert last commit. The same functionality can be obtained through the
'kenv' command, which I obviously was unaware of.
2001-09-21 02:09:01 +00:00