Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Dec 1998 00:56:19 -0800
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        current@FreeBSD.ORG
Subject:   adding policy tuning knobs to my F_SETOWN/SIGIO/SIGURG enhancements
Message-ID:  <199812190856.AAA11948@salsa.gv.tsc.tdk.com>

next in thread | raw e-mail | index | archive | help
I'm still looking for comments on this.  Eivind was the only one who
spoke up when I posted it to -hackers.  He was in favor of leaving
the policy compiled in.

I'd like to commit this or something like it in the next couple of days.

The questions still stand.


=====  Forwarded from -hackers ==============

My previous security enhancements to the F_SETOWN/SIGIO/SIGURG in the 3.0
kernel code made some policy decisions that were hard-wired into the code
but were commented in case someone needed to change them.  I've decided
that would be good to allow the security policy to be tuned using some
sysctl knobs.  The attached patch adds two policy adjustments,
kern.security.setown_restrict, and kern.security.async_io_cred_check,
which can be used to limit the process or process group that can be
specified to F_SETOWN, and whether credentials should be checked before
delivering the signals.

Questions:

	Should these variables live under kern.security, directly under
	kern, or elsewhere?

	I also want to add some other security related tunables in other
	parts of the kernel.  Assuming they should also live under
	kern.security, where should
	"SYSCTL_NODE(_kern, OID_AUTO, security, ...)" live?  I've already
	got kern.security sysctl variables in two different files ...

Any other comments on this patch are welcome.


--- kern_descrip.c.orig	Wed Nov 11 03:08:32 1998
+++ kern_descrip.c	Sat Dec 12 23:39:50 1998
@@ -392,7 +392,24 @@
  *
  * After permission checking, add a sigio structure to the sigio list for
  * the process or process group.
+ *
+ * The setown_restrict variable sets a policy which may restrict the allowable
+ * process/group argument for F_SETOWN/FIOSETOWN.  An argument of 0 is
+ * always allowed.
+ *   0 - There are no restrictions, any existing process or process group
+ *       may be specified.
+ *   1 - Any process or process group specified must belong to the same
+ *       session as the current process.
+ *   2 - Only the current process group or a process in the current process
+ *       group may be specified.  This is the default.
+ *   3 - Only the current process may be specified.
+ * 
  */
+static int setown_restrict = 2;
+SYSCTL_NODE(_kern, OID_AUTO, security, CTLFLAG_RW, 0, "");
+SYSCTL_INT(_kern_security, OID_AUTO, setown_restrict,
+	CTLFLAG_RW|CTLFLAG_SECURE, &setown_restrict, 0, "");
+
 int
 fsetown(pgid, sigiop)
 	pid_t pgid;
@@ -411,30 +428,20 @@
 		proc = pfind(pgid);
 		if (proc == NULL)
 			return (ESRCH);
-		/*
-		 * Policy - Don't allow a process to FSETOWN a process
-		 * in another session.
-		 *
-		 * Remove this test to allow maximum flexibility or
-		 * restrict FSETOWN to the current process or process
-		 * group for maximum safety.
-		 */
-		else if (proc->p_session != curproc->p_session)
+		if (setown_restrict > 2 && proc != curproc ||
+		    setown_restrict > 1 && proc->p_pgrp != curproc->p_pgrp ||
+		    setown_restrict > 0 &&
+		    proc->p_session != curproc->p_session)
 			return (EPERM);
 		pgrp = NULL;
 	} else /* if (pgid < 0) */ {
 		pgrp = pgfind(-pgid);
 		if (pgrp == NULL)
 			return (ESRCH);
-		/*
-		 * Policy - Don't allow a process to FSETOWN a process
-		 * in another session.
-		 *
-		 * Remove this test to allow maximum flexibility or
-		 * restrict FSETOWN to the current process or process
-		 * group for maximum safety.
-		 */
-		else if (pgrp->pg_session != curproc->p_session)
+		if (setown_restrict > 2 ||
+		    setown_restrict > 1 && pgrp != curproc->p_pgrp ||
+		    setown_restrict > 0 &&
+		    pgrp->pg_session != curproc->p_session)
 			return (EPERM);
 		proc = NULL;
 	}
--- kern_sig.c.orig	Tue Dec  8 20:40:50 1998
+++ kern_sig.c	Sun Dec 13 00:10:50 1998
@@ -1358,9 +1358,16 @@
 }
 
 /*
- * Send a signal to a SIGIO or SIGURG to a process or process group using
- * stored credentials rather than those of the current process.
+ * Send a SIGIO or SIGURG signal to a process or process group in
+ * response to an I/O event.
+ *
+ * If async_io_cred_check is nonzero, the stored credentials from
+ * the process that did the F_SETOWN/FIOSETOWN are first checked
+ * to see if it is permissible to send the signal.
  */
+static int async_io_cred_check = 1;
+SYSCTL_INT(_kern_security, OID_AUTO, async_io_cred_check,
+        CTLFLAG_RW|CTLFLAG_SECURE, &async_io_cred_check, 0, "");
 void
 pgsigio(sigio, signum, checkctty)
 	struct sigio *sigio;
@@ -1370,15 +1377,17 @@
 		return;
 		
 	if (sigio->sio_pgid > 0) {
-		if (CANSIGIO(sigio->sio_ruid, sigio->sio_ucred,
-		             sigio->sio_proc))
+		if (!async_io_cred_check ||
+		    CANSIGIO(sigio->sio_ruid, sigio->sio_ucred,
+		    sigio->sio_proc))
 			psignal(sigio->sio_proc, signum);
 	} else if (sigio->sio_pgid < 0) {
 		struct proc *p;
 
 		for (p = sigio->sio_pgrp->pg_members.lh_first; p != NULL;
 		     p = p->p_pglist.le_next)
-			if (CANSIGIO(sigio->sio_ruid, sigio->sio_ucred, p) &&
+			if ((!async_io_cred_check ||
+			    CANSIGIO(sigio->sio_ruid, sigio->sio_ucred, p)) &&
 			    (checkctty == 0 || (p->p_flag & P_CONTROLT)))
 				psignal(p, signum);
 	}

===========================================

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812190856.AAA11948>