Date: Sun, 6 Jun 2021 19:25:52 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 598f6fb49c9c - main - linuxolator: Add compat.linux.setid_allowed knob Message-ID: <202106061925.156JPqB7045053@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=598f6fb49c9ca688029b79de0a44227ab79c608c commit 598f6fb49c9ca688029b79de0a44227ab79c608c Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2021-01-14 13:51:52 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2021-06-06 18:43:00 +0000 linuxolator: Add compat.linux.setid_allowed knob PR: 21463 Reported by: kris Reviewed by: dchagin Tested by: trasz Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D28154 --- share/man/man4/linux.4 | 14 +++++++++++++- sys/amd64/linux/linux_sysvec.c | 1 + sys/amd64/linux32/linux32_sysvec.c | 1 + sys/arm64/linux/linux_sysvec.c | 1 + sys/compat/linux/linux_mib.c | 12 ++++++++++++ sys/compat/linux/linux_mib.h | 3 +++ sys/i386/linux/linux_sysvec.c | 2 ++ 7 files changed, 33 insertions(+), 1 deletion(-) diff --git a/share/man/man4/linux.4 b/share/man/man4/linux.4 index 23bc0c26f7f9..b2d36158c622 100644 --- a/share/man/man4/linux.4 +++ b/share/man/man4/linux.4 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 5, 2020 +.Dd May 6, 2021 .Dt LINUX 4 .Os .Sh NAME @@ -130,6 +130,18 @@ From a user perspective, this makes .Va SIGINFO work for Linux executables. Defaults to 0. +.It Va compat.linux.setid_allowed +Disable handling of set-user-ID and set-group-ID mode bits for the new +process image file when image is to be executed under Linux ABI. +When set, new Linux images always use credentials of the program +that issued +.Xr execve 2 +call, regardless of the image file mode. +.Pp +This might be reasonable or even required, because +.Fx +does not emulate Linux environment completely, and missed features +could become holes. .El .Sh FILES .Bl -tag -width /compat/linux/dev/shm -compact diff --git a/sys/amd64/linux/linux_sysvec.c b/sys/amd64/linux/linux_sysvec.c index 02225e63072d..3eab9126f192 100644 --- a/sys/amd64/linux/linux_sysvec.c +++ b/sys/amd64/linux/linux_sysvec.c @@ -764,6 +764,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c index 05354803cf03..b950c00eba1d 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -931,6 +931,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/arm64/linux/linux_sysvec.c b/sys/arm64/linux/linux_sysvec.c index 365cb9fc386a..57abdc6fd691 100644 --- a/sys/arm64/linux/linux_sysvec.c +++ b/sys/arm64/linux/linux_sysvec.c @@ -443,6 +443,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/compat/linux/linux_mib.c b/sys/compat/linux/linux_mib.c index cc4207f74a39..3a6627df9abd 100644 --- a/sys/compat/linux/linux_mib.c +++ b/sys/compat/linux/linux_mib.c @@ -99,6 +99,18 @@ int linux_use_emul_path = 1; SYSCTL_INT(_compat_linux, OID_AUTO, use_emul_path, CTLFLAG_RWTUN, &linux_use_emul_path, 0, "Use linux.compat.emul_path"); +static bool linux_setid_allowed = true; +SYSCTL_BOOL(_compat_linux, OID_AUTO, setid_allowed, CTLFLAG_RWTUN, + &linux_setid_allowed, 0, + "Allow setuid/setgid on execve of Linux binary"); + +bool +linux_setid_allowed_query(struct thread *td __unused, + struct image_params *imgp __unused) +{ + return (linux_setid_allowed); +} + static int linux_set_osname(struct thread *td, char *osname); static int linux_set_osrelease(struct thread *td, char *osrelease); static int linux_set_oss_version(struct thread *td, int oss_version); diff --git a/sys/compat/linux/linux_mib.h b/sys/compat/linux/linux_mib.h index c4d3d1e83f7e..adf71cb65401 100644 --- a/sys/compat/linux/linux_mib.h +++ b/sys/compat/linux/linux_mib.h @@ -71,4 +71,7 @@ extern int linux_ignore_ip_recverr; extern int linux_preserve_vstatus; extern bool linux_map_sched_prio; +struct image_params; +bool linux_setid_allowed_query(struct thread *td, struct image_params *imgp); + #endif /* _LINUX_MIB_H_ */ diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index 0e6ad4b5c137..9cc1a723ab55 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -871,6 +871,7 @@ struct sysentvec linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; INIT_SYSENTVEC(aout_sysvec, &linux_sysvec); @@ -908,6 +909,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106061925.156JPqB7045053>