mirror of
https://github.com/opnsense/src.git
synced 2026-05-28 04:12:45 -04:00
c1d7552ddd
This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved UIDs, effective, real and saved GIDs, supplementary groups and the MAC label. Its advantage over standard credential-setting system calls (such as setuid(), seteuid(), etc.) is that it enables MAC modules, such as MAC/do, to restrict the set of credentials some process may gain in a fine-grained manner. Traditionally, credential changes rely on setuid binaries that call multiple credential system calls and in a specific order (setuid() must be last, so as to remain root for all other credential-setting calls, which would otherwise fail with insufficient privileges). This piecewise approach causes the process to transiently hold credentials that are neither the original nor the final ones. For the kernel to enforce that only certain transitions of credentials are allowed, either these possibly non-compliant transient states have to disappear (by setting all relevant attributes in one go), or the kernel must delay setting or checking the new credentials. Delaying setting credentials could be done, e.g., by having some mode where the standard system calls contribute to building new credentials but without committing them. It could be started and ended by a special system call. Delaying checking could mean that, e.g., the kernel only verifies the credentials transition at the next non-credential-setting system call (we just mention this possibility for completeness, but are certainly not endorsing it). We chose the simpler approach of a new system call, as we don't expect the set of credentials one can set to change often. It has the advantages that the traditional system calls' code doesn't have to be changed and that we can establish a special MAC protocol for it, by having some cleanup function called just before returning (this is a requirement for MAC/do), without disturbing the existing ones. The mac_cred_check_setcred() hook is passed the flags received by setcred() (including the version) and both the old and new kernel's 'struct ucred' instead of 'struct setcred' as this should simplify evolving existing hooks as the 'struct setcred' structure evolves. The mac_cred_setcred_enter() and mac_cred_setcred_exit() hooks are always called by pairs around potential calls to mac_cred_check_setcred(). They allow MAC modules to allocate/free data they may need in their mac_cred_check_setcred() hook, as the latter is called under the current process' lock, rendering sleepable allocations impossible. MAC/do is going to leverage these in a subsequent commit. A scheme where mac_cred_check_setcred() could return ERESTART was considered but is incompatible with proper composition of MAC modules. While here, add missing includes and declarations for standalone inclusion of <sys/ucred.h> both from kernel and userspace (for the latter, it has been working thanks to <bsm/audit.h> already including <sys/types.h>). Reviewed by: brooks Approved by: markj (mentor) Relnotes: yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D47618 (cherry picked from commit ddb3eb4efe55e57c206f3534263c77b837aff1dc) |
||
|---|---|---|
| .. | ||
| aarch64 | ||
| amd64 | ||
| arm | ||
| capability | ||
| compat-43 | ||
| csu | ||
| db | ||
| gdtoa | ||
| gen | ||
| gmon | ||
| i386 | ||
| iconv | ||
| include | ||
| inet | ||
| isc | ||
| locale | ||
| md | ||
| nameser | ||
| net | ||
| nls | ||
| posix1e | ||
| powerpc | ||
| powerpc64 | ||
| powerpcspe | ||
| quad | ||
| regex | ||
| resolv | ||
| riscv | ||
| rpc | ||
| secure | ||
| softfloat | ||
| stdio | ||
| stdlib | ||
| stdtime | ||
| string | ||
| sys | ||
| tests | ||
| uuid | ||
| x86 | ||
| xdr | ||
| yp | ||
| libc.ldscript | ||
| libc_nossp.ldscript | ||
| Makefile | ||
| Makefile.depend | ||
| Makefile.depend.options | ||
| Versions.def | ||