From owner-freebsd-hackers@FreeBSD.ORG  Tue Jul 15 21:35:24 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 01F8A1065679
	for <freebsd-hackers@freebsd.org>; Tue, 15 Jul 2008 21:35:24 +0000 (UTC)
	(envelope-from mjguzik@gmail.com)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155])
	by mx1.freebsd.org (Postfix) with ESMTP id 2B13B8FC28
	for <freebsd-hackers@freebsd.org>; Tue, 15 Jul 2008 21:35:21 +0000 (UTC)
	(envelope-from mjguzik@gmail.com)
Received: by fg-out-1718.google.com with SMTP id l26so3719938fgb.35
	for <freebsd-hackers@freebsd.org>; Tue, 15 Jul 2008 14:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:subject
	:message-id:mime-version:content-type:content-disposition:user-agent;
	bh=xLGvBCNfRm0KgtiyfZ1vMvwHvRTpK560618G4/fIuyE=;
	b=ABEhn1D/Toufx4b0jcqO6bNRVJShPPZwgb4oXw/I+2NcvmNafJaguY7TS2jqu9ZGr1
	BnNVWYOwdbbpbZ9ld1rJ7R1yPTxZ9CwGXWOXtggvNotTVLQqbNkP71JybqennDaVe57A
	46qpBcOK7cnNnM0MNxP8mTp7lzu/0hjAchj/s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:subject:message-id:mime-version:content-type
	:content-disposition:user-agent;
	b=RB1fdZBBGHI3HFF63p6DhleCn+qrjyk0LpjN6/jAAIo+/bNHFD+371hDYgceKhoUZD
	bS8Xo+rgb39SKrlHx4P/eFJBVjjrv9CDl6TFFsTICO2vBDxV1NONTw19Ng7xubW7P/Pm
	Oh3FOiOw8cV2oEjpYIZ2iTIq6ZUamc5JnMsgo=
Received: by 10.86.92.7 with SMTP id p7mr898050fgb.72.1216157720541;
	Tue, 15 Jul 2008 14:35:20 -0700 (PDT)
Received: from sigill.net.autocom.pl ( [77.236.1.49])
	by mx.google.com with ESMTPS id e11sm91512fga.4.2008.07.15.14.35.19
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Tue, 15 Jul 2008 14:35:19 -0700 (PDT)
Date: Tue, 15 Jul 2008 23:35:20 +0200
From: Mateusz Guzik <mjguzik@gmail.com>
To: freebsd-hackers@freebsd.org
Message-ID: <20080715213520.GP41336@skucha.home.aster.pl>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="vEao7xgI/oilGqZ+"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: Usage of priv_cred in sys/kern/kern_ktrace.c
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2008 21:35:24 -0000


--vEao7xgI/oilGqZ+
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline

Hi,

ktrace has the ability to set flag KTRFAC_ROOT, indicating that the
root user started tracing of the given process. It does the following:

if (priv_check(td, PRIV_KTRACE) == 0)
	p->p_traceflag |= KTRFAC_ROOT;

I believe this check is wrong and should be changes to something like:

if (td->td_ucred->cr_uid == UID_ROOT)
	p->p_traceflag |= KTRFAC_ROOT;

Also, despite the existence of PRIV_KTRACE, there's no way to disable
ktrace using the MAC framework, because priv_check is only used in case
described above.

Am I misintepreting something? If I'm right, what do You think about the
attached patch? :)

Thanks for Your time,
-- 
Mateusz Guzik <mjguzik@gmail.com>

--vEao7xgI/oilGqZ+
Content-Type: text/x-diff; charset=iso-8859-2
Content-Disposition: attachment; filename="ktrace.diff"

--- sys/kern/kern_priv.c.orig	2008-03-07 16:27:08.000000000 +0100
+++ sys/kern/kern_priv.c	2008-07-15 22:30:56.000000000 +0200
@@ -86,10 +86,18 @@
 	error = prison_priv_check(cred, priv);
 	if (error)
 		return (error);
 
 	/*
+	 * Grant some privileges typically available for normal users.
+	 */
+	switch (priv) {
+	case PRIV_KTRACE:
+		return (0);
+	}
+
+	/*
 	 * Having determined if privilege is restricted by various policies,
 	 * now determine if privilege is granted.  At this point, any policy
 	 * may grant privilege.  For now, we allow short-circuit boolean
 	 * evaluation, so may not call all policies.  Perhaps we should.
 	 *
--- sys/kern/kern_ktrace.c.orig	2008-02-23 02:01:48.000000000 +0100
+++ sys/kern/kern_ktrace.c	2008-07-15 22:01:03.000000000 +0200
@@ -37,10 +37,11 @@
 #include "opt_ktrace.h"
 #include "opt_mac.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/conf.h>
 #include <sys/fcntl.h>
 #include <sys/kernel.h>
 #include <sys/kthread.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@@ -610,10 +611,13 @@
 	int nfound, ret = 0;
 	int flags, error = 0, vfslocked;
 	struct nameidata nd;
 	struct ucred *cred;
 
+	if (priv_check(td, PRIV_KTRACE))
+		if (ops != KTROP_CLEAR && ops != KTROP_CLEARFILE)
+			return (ENOSYS);
 	/*
 	 * Need something to (un)trace.
 	 */
 	if (ops != KTROP_CLEARFILE && facs == 0)
 		return (EINVAL);
@@ -821,11 +825,11 @@
 		if (p->p_tracecred != td->td_ucred) {
 			tracecred = p->p_tracecred;
 			p->p_tracecred = crhold(td->td_ucred);
 		}
 		p->p_traceflag |= facs;
-		if (priv_check(td, PRIV_KTRACE) == 0)
+		if (td->td_ucred->cr_uid == UID_ROOT)
 			p->p_traceflag |= KTRFAC_ROOT;
 	} else {
 		/* KTROP_CLEAR */
 		if (((p->p_traceflag &= ~facs) & KTRFAC_MASK) == 0) {
 			/* no more tracing */
@@ -1027,11 +1031,11 @@
 	struct proc *targetp;
 {
 
 	PROC_LOCK_ASSERT(targetp, MA_OWNED);
 	if (targetp->p_traceflag & KTRFAC_ROOT &&
-	    priv_check(td, PRIV_KTRACE))
+	    td->td_ucred->cr_uid != UID_ROOT)
 		return (0);
 
 	if (p_candebug(td, targetp) != 0)
 		return (0);
 

--vEao7xgI/oilGqZ+--