From owner-svn-src-head@FreeBSD.ORG Tue Nov 27 10:38:11 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A6DCF692; Tue, 27 Nov 2012 10:38:11 +0000 (UTC) (envelope-from pjd@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 731648FC08; Tue, 27 Nov 2012 10:38:11 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qARAcBEd044426; Tue, 27 Nov 2012 10:38:11 GMT (envelope-from pjd@svn.freebsd.org) Received: (from pjd@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qARAcBeX044425; Tue, 27 Nov 2012 10:38:11 GMT (envelope-from pjd@svn.freebsd.org) Message-Id: <201211271038.qARAcBeX044425@svn.freebsd.org> From: Pawel Jakub Dawidek Date: Tue, 27 Nov 2012 10:38:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r243613 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2012 10:38:11 -0000 Author: pjd Date: Tue Nov 27 10:38:11 2012 New Revision: 243613 URL: http://svnweb.freebsd.org/changeset/base/243613 Log: Add kern.capmode_coredump sysctl/tunable to allow processes in capability mode to dump core. Reviewed by: rwatson Obtained from: WHEEL Systems MFC after: 2 weeks Modified: head/sys/kern/kern_sig.c Modified: head/sys/kern/kern_sig.c ============================================================================== --- head/sys/kern/kern_sig.c Tue Nov 27 10:32:35 2012 (r243612) +++ head/sys/kern/kern_sig.c Tue Nov 27 10:38:11 2012 (r243613) @@ -175,6 +175,11 @@ TUNABLE_INT("kern.sugid_coredump", &sugi SYSCTL_INT(_kern, OID_AUTO, sugid_coredump, CTLFLAG_RW, &sugid_coredump, 0, "Allow setuid and setgid processes to dump core"); +static int capmode_coredump; +TUNABLE_INT("kern.capmode_coredump", &capmode_coredump); +SYSCTL_INT(_kern, OID_AUTO, capmode_coredump, CTLFLAG_RW, + &capmode_coredump, 0, "Allow processes in capability mode to dump core"); + static int do_coredump = 1; SYSCTL_INT(_kern, OID_AUTO, coredump, CTLFLAG_RW, &do_coredump, 0, "Enable/Disable coredumps"); @@ -3134,12 +3139,17 @@ nomem: int error, n; int flags = O_CREAT | O_EXCL | FWRITE | O_NOFOLLOW; int cmode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP; + int oflags = 0; + + if (capmode_coredump) + oflags = VN_OPEN_NOCAPCHECK; for (n = 0; n < num_cores; n++) { temp[indexpos] = '0' + n; NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, temp, td); - error = vn_open(&nd, &flags, cmode, NULL); + error = vn_open_cred(&nd, &flags, cmode, oflags, + td->td_ucred, NULL); if (error) { if (error == EEXIST) continue; @@ -3241,7 +3251,8 @@ coredump(struct thread *td) restart: NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, td); flags = O_CREAT | FWRITE | O_NOFOLLOW; - error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR, VN_OPEN_NOAUDIT, + error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR, + VN_OPEN_NOAUDIT | (capmode_coredump ? VN_OPEN_NOCAPCHECK : 0), cred, NULL); if (error) { #ifdef AUDIT