Date: Sun, 05 Aug 2012 19:00:54 +0000 From: gpf@FreeBSD.org To: svn-soc-all@FreeBSD.org Subject: socsvn commit: r240113 - soc2012/gpf/pefs_head/head/sys/kern Message-ID: <20120805190054.0923E106564A@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gpf Date: Sun Aug 5 19:00:53 2012 New Revision: 240113 URL: http://svnweb.FreeBSD.org/socsvn/?view=rev&rev=240113 Log: kern_exec.c hack: During an exec(), kernel checks if sysctl var "vfs.pefs.exec.enable" exists and is turned on. If it is active, we check the schg flag of the executable. For the moment, we simply print a "denied" message. Next patch will return proper error code and fail in a graceful manner. The pefs specific sysctl var is used to ease development so it's just temporary. If the file being executed is a shell script, only the respective interpreter is checked for the schg flag, not the script itself. work in progress Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Modified: soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c ============================================================================== --- soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Sun Aug 5 17:30:17 2012 (r240112) +++ soc2012/gpf/pefs_head/head/sys/kern/kern_exec.c Sun Aug 5 19:00:53 2012 (r240113) @@ -122,7 +122,7 @@ NULL, 0, sysctl_kern_stackprot, "I", ""); u_long ps_arg_cache_limit = PAGE_SIZE / 16; -SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, +SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, &ps_arg_cache_limit, 0, ""); static int map_at_zero = 0; @@ -186,9 +186,9 @@ #ifndef _SYS_SYSPROTO_H_ struct execve_args { - char *fname; + char *fname; char **argv; - char **envv; + char **envv; }; #endif @@ -548,6 +548,24 @@ goto interpret; } + { + int enabled, rval; + size_t enabled_len; + + rval = kernel_sysctlbyname(td, "vfs.pefs.exec.enable", + &enabled, &enabled_len, NULL, 0, NULL, 0); + //printf("sysctl vfs.pefs.exec.enable=%d returns %d\n", enabled, + //rval); + if (rval == 0 && enabled != 0) { + printf("checking flag for %s\n", args->fname); + if ((imgp->attr->va_flags & SF_IMMUTABLE) == 0) { + printf("denied!\n"); + //error = ... + //goto exec_fail_dealloc; + } + } + } + /* * NB: We unlock the vnode here because it is believed that none * of the sv_copyout_strings/sv_fixup operations require the vnode. @@ -821,7 +839,7 @@ /* Set values passed into the program in registers. */ if (p->p_sysent->sv_setregs) - (*p->p_sysent->sv_setregs)(td, imgp, + (*p->p_sysent->sv_setregs)(td, imgp, (u_long)(uintptr_t)stack_base); else exec_setregs(td, imgp, (u_long)(uintptr_t)stack_base); @@ -1160,7 +1178,7 @@ } if ((error = copyinstr(argp, args->endp, args->stringspace, &length))) { - if (error == ENAMETOOLONG) + if (error == ENAMETOOLONG) error = E2BIG; goto err_exit; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120805190054.0923E106564A>