Date: Tue, 28 Jul 2009 07:09:46 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 166666 for review Message-ID: <200907280709.n6S79k9X018962@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=166666 Change 166666 by trasz@trasz_victim on 2009/07/28 07:09:32 Add setlogin(2), so that login(1) (and other programs using setusercontext(3)) can inform the kernel about login class, which is required for HRL rules with 'class' subject to work. 'id -c' may be used to display the current login class. Affected files ... .. //depot/projects/soc2009/trasz_limits/include/unistd.h#4 edit .. //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 edit .. //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 edit .. //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 edit .. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 edit .. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 edit .. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 edit .. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 edit .. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 edit .. //depot/projects/soc2009/trasz_limits/sys/conf/files#13 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#1 add .. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 edit .. //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 edit .. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 edit .. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/include/unistd.h#4 (text+ko) ==== @@ -503,6 +503,7 @@ char *fflagstostr(u_long); int getdomainname(char *, int); int getgrouplist(const char *, gid_t, gid_t *, int *); +int getloginclass(char *, size_t); mode_t getmode(const void *, mode_t); int getosreldate(void); int getpeereid(int, uid_t *, gid_t *); @@ -562,6 +563,7 @@ #define _SETKEY_DECLARED #endif int setlogin(const char *); +int setloginclass(const char *); void *setmode(const char *); void setproctitle(const char *_fmt, ...) __printf0like(1, 2); int setresgid(gid_t, gid_t, gid_t); ==== //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 (text) ==== @@ -341,6 +341,7 @@ fexecve; fstatat; futimesat; + getloginclass; jail_get; jail_set; jail_remove; @@ -354,6 +355,7 @@ readlinkat; renameat; setfib; + setloginclass; shmctl; symlinkat; unlinkat; ==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 (text+ko) ==== @@ -49,7 +49,8 @@ #define LOGIN_SETENV 0x0080 /* set user environment */ #define LOGIN_SETMAC 0x0100 /* set user default MAC label */ #define LOGIN_SETCPUMASK 0x0200 /* set user cpumask */ -#define LOGIN_SETALL 0x03ff /* set everything */ +#define LOGIN_SETLOGINCLASS 0x0400 /* set login class in the kernel */ +#define LOGIN_SETALL 0x07ff /* set everything */ #define BI_AUTH "authorize" /* accepted authentication */ #define BI_REJECT "reject" /* rejected authentication */ ==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 (text+ko) ==== @@ -512,6 +512,18 @@ return (-1); } + if (lc != NULL && lc->lc_class != NULL) { + /* Inform the kernel about current login class */ + if ((flags & LOGIN_SETLOGINCLASS) && + setloginclass(lc->lc_class) != 0) { + syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class); +#ifdef notyet + login_close(llc); + return (-1); +#endif + } + } + mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0; mymask = setlogincontext(lc, pwd, mymask, flags); login_close(llc); ==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 (text+ko) ==== @@ -2,8 +2,8 @@ * System call prototypes. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/compat/freebsd32/freebsd32_proto.h,v 1.106 2009/07/08 16:30:34 trasz Exp $ - * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz + * $FreeBSD$ + * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp */ #ifndef _FREEBSD32_SYSPROTO_H_ @@ -453,6 +453,13 @@ char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)]; char buf_l_[PADL_(struct shmid_ds32 *)]; struct shmid_ds32 * buf; char buf_r_[PADR_(struct shmid_ds32 *)]; }; +struct hrl_args { + char op_l_[PADL_(int)]; int op; char op_r_[PADR_(int)]; + char inbufp_l_[PADL_(const void)]; const void inbufp; char inbufp_r_[PADR_(const void)]; + char inbuflen_l_[PADL_(size_t *)]; size_t * inbuflen; char inbuflen_r_[PADR_(size_t *)]; + char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)]; + char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)]; +}; int freebsd32_wait4(struct thread *, struct freebsd32_wait4_args *); int freebsd32_recvmsg(struct thread *, struct freebsd32_recvmsg_args *); int freebsd32_sendmsg(struct thread *, struct freebsd32_sendmsg_args *); @@ -536,6 +543,7 @@ int freebsd32_semctl(struct thread *, struct freebsd32_semctl_args *); int freebsd32_msgctl(struct thread *, struct freebsd32_msgctl_args *); int freebsd32_shmctl(struct thread *, struct freebsd32_shmctl_args *); +int hrl(struct thread *, struct hrl_args *); #ifdef COMPAT_43 @@ -814,6 +822,7 @@ #define FREEBSD32_SYS_AUE_freebsd32_semctl AUE_SEMCTL #define FREEBSD32_SYS_AUE_freebsd32_msgctl AUE_MSGCTL #define FREEBSD32_SYS_AUE_freebsd32_shmctl AUE_SHMCTL +#define FREEBSD32_SYS_AUE_hrl AUE_NULL #undef PAD_ #undef PADL_ ==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 (text+ko) ==== @@ -2,8 +2,8 @@ * System call numbers. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscall.h,v 1.105 2009/07/08 16:30:34 trasz Exp $ - * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz + * $FreeBSD$ + * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp */ #define FREEBSD32_SYS_syscall 0 @@ -382,4 +382,7 @@ #define FREEBSD32_SYS_freebsd32_msgctl 511 #define FREEBSD32_SYS_freebsd32_shmctl 512 #define FREEBSD32_SYS_lpathconf 513 -#define FREEBSD32_SYS_MAXSYSCALL 514 +#define FREEBSD32_SYS_hrl 514 +#define FREEBSD32_SYS_getloginclass 515 +#define FREEBSD32_SYS_setloginclass 516 +#define FREEBSD32_SYS_MAXSYSCALL 517 ==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 (text+ko) ==== @@ -2,8 +2,8 @@ * System call names. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscalls.c,v 1.96 2009/07/08 16:30:34 trasz Exp $ - * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz + * $FreeBSD$ + * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp */ const char *freebsd32_syscallnames[] = { @@ -521,4 +521,7 @@ "freebsd32_msgctl", /* 511 = freebsd32_msgctl */ "freebsd32_shmctl", /* 512 = freebsd32_shmctl */ "lpathconf", /* 513 = lpathconf */ + "hrl", /* 514 = hrl */ + "getloginclass", /* 515 = getloginclass */ + "setloginclass", /* 516 = setloginclass */ }; ==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 (text+ko) ==== @@ -2,8 +2,8 @@ * System call switch table. * * DO NOT EDIT-- this file is automatically generated. - * $FreeBSD: src/sys/compat/freebsd32/freebsd32_sysent.c,v 1.107 2009/07/08 16:30:34 trasz Exp $ - * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz + * $FreeBSD$ + * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp */ #include "opt_compat.h" @@ -558,4 +558,7 @@ { AS(freebsd32_msgctl_args), (sy_call_t *)freebsd32_msgctl, AUE_MSGCTL, NULL, 0, 0, 0 }, /* 511 = freebsd32_msgctl */ { AS(freebsd32_shmctl_args), (sy_call_t *)freebsd32_shmctl, AUE_SHMCTL, NULL, 0, 0, 0 }, /* 512 = freebsd32_shmctl */ { AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 }, /* 513 = lpathconf */ + { AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 }, /* 514 = hrl */ + { AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 515 = getloginclass */ + { AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 516 = setloginclass */ }; ==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 (text+ko) ==== @@ -902,3 +902,6 @@ struct shmid_ds32 *buf); } 513 AUE_LPATHCONF NOPROTO { int lpathconf(char *path, int name); } 514 AUE_NULL STD { int hrl(int op, const void inbufp, size_t *inbuflen, void *outbufp, size_t outbuflen); } +515 AUE_NULL NOPROTO { int getloginclass(char *namebuf, size_t \ + namelen); } +516 AUE_NULL NOPROTO { int setloginclass(const char *namebuf); } ==== //depot/projects/soc2009/trasz_limits/sys/conf/files#13 (text+ko) ==== @@ -1958,6 +1958,7 @@ kern/kern_lock.c standard kern/kern_lockf.c standard kern/kern_lockstat.c optional kdtrace_hooks +kern/kern_loginclass.c standard kern/kern_malloc.c standard kern/kern_mbuf.c standard kern/kern_mib.c standard ==== //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 (text+ko) ==== @@ -549,4 +549,6 @@ { AS(shmctl_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 512 = shmctl */ { AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 }, /* 513 = lpathconf */ { AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 }, /* 514 = hrl */ + { AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 515 = getloginclass */ + { AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 516 = setloginclass */ }; ==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 (text+ko) ==== @@ -522,4 +522,6 @@ "shmctl", /* 512 = shmctl */ "lpathconf", /* 513 = lpathconf */ "hrl", /* 514 = hrl */ + "getloginclass", /* 515 = getloginclass */ + "setloginclass", /* 516 = setloginclass */ }; ==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 (text+ko) ==== @@ -912,5 +912,8 @@ struct shmid_ds *buf); } 513 AUE_LPATHCONF STD { int lpathconf(char *path, int name); } 514 AUE_NULL STD { int hrl(int op, const void *inbufp, size_t inbuflen, void *outbufp, size_t outbuflen); } +515 AUE_NULL STD { int getloginclass(char *namebuf, size_t \ + namelen); } +516 AUE_NULL STD { int setloginclass(const char *namebuf); } ; Please copy any additions and changes to the following compatability tables: ; sys/compat/freebsd32/syscalls.master ==== //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 (text+ko) ==== @@ -3083,6 +3083,21 @@ *n_args = 5; break; } + /* getloginclass */ + case 515: { + struct getloginclass_args *p = params; + uarg[0] = (intptr_t) p->namebuf; /* char * */ + uarg[1] = p->namelen; /* size_t */ + *n_args = 2; + break; + } + /* setloginclass */ + case 516: { + struct setloginclass_args *p = params; + uarg[0] = (intptr_t) p->namebuf; /* const char * */ + *n_args = 1; + break; + } default: *n_args = 0; break; @@ -8187,6 +8202,29 @@ break; }; break; + /* getloginclass */ + case 515: + switch(ndx) { + case 0: + p = "char *"; + break; + case 1: + p = "size_t"; + break; + default: + break; + }; + break; + /* setloginclass */ + case 516: + switch(ndx) { + case 0: + p = "const char *"; + break; + default: + break; + }; + break; default: break; }; ==== //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 (text+ko) ==== @@ -115,9 +115,9 @@ }; /* - * 'hrl_limit' is used to link a subject with rules that apply - * to it. This way we don't have to search the whole HRL rules - * tree to enforce the limits. + * 'hrl_limit' connects rule with every subject it's related to. + * For example, rule 'user:X:openfiles:deny=N/process' is linked + * with uidinfo for user X, and to each process of that user. */ struct hrl_limit { LIST_ENTRY(hrl_limit) hl_next; ==== //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 (text+ko) ==== @@ -156,6 +156,7 @@ #define PRIV_PROC_LIMIT 160 /* Exceed user process limit. */ #define PRIV_PROC_SETLOGIN 161 /* Can call setlogin. */ #define PRIV_PROC_SETRLIMIT 162 /* Can raise resources limits. */ +#define PRIV_PROC_SETLOGINCLASS 163 /* Can call setloginclass(2). */ /* System V IPC privileges. */ ==== //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 (text+ko) ==== @@ -171,6 +171,7 @@ struct kdtrace_proc; struct kdtrace_thread; struct cpuset; +struct loginclass; /* * Kernel runnable context (thread). @@ -531,6 +532,7 @@ rlim_t p_cpulimit; /* (c) Current CPU limit in seconds. */ signed char p_nice; /* (c) Process "nice" value. */ int p_fibnum; /* in this routing domain XXX MRT */ + struct loginclass *p_loginclass; /* (c) login class */ /* End area that is copied on creation. */ #define p_endcopy p_xstat @@ -876,6 +878,8 @@ struct thread *thread_find(struct proc *p, lwpid_t tid); void thr_exit1(void); +struct loginclass *loginclass_find(const char *name); + #endif /* _KERNEL */ #endif /* !_SYS_PROC_H_ */ ==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 (text+ko) ==== @@ -429,4 +429,6 @@ #define SYS_shmctl 512 #define SYS_lpathconf 513 #define SYS_hrl 514 -#define SYS_MAXSYSCALL 515 +#define SYS_getloginclass 515 +#define SYS_setloginclass 516 +#define SYS_MAXSYSCALL 517 ==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 (text+ko) ==== @@ -377,4 +377,6 @@ msgctl.o \ shmctl.o \ lpathconf.o \ - hrl.o + hrl.o \ + getloginclass.o \ + setloginclass.o ==== //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 (text+ko) ==== @@ -1648,6 +1648,13 @@ char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)]; char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)]; }; +struct getloginclass_args { + char namebuf_l_[PADL_(char *)]; char * namebuf; char namebuf_r_[PADR_(char *)]; + char namelen_l_[PADL_(size_t)]; size_t namelen; char namelen_r_[PADR_(size_t)]; +}; +struct setloginclass_args { + char namebuf_l_[PADL_(const char *)]; const char * namebuf; char namebuf_r_[PADR_(const char *)]; +}; int nosys(struct thread *, struct nosys_args *); void sys_exit(struct thread *, struct sys_exit_args *); int fork(struct thread *, struct fork_args *); @@ -2007,6 +2014,8 @@ int shmctl(struct thread *, struct shmctl_args *); int lpathconf(struct thread *, struct lpathconf_args *); int hrl(struct thread *, struct hrl_args *); +int getloginclass(struct thread *, struct getloginclass_args *); +int setloginclass(struct thread *, struct setloginclass_args *); #ifdef COMPAT_43 @@ -2680,6 +2689,8 @@ #define SYS_AUE_shmctl AUE_SHMCTL #define SYS_AUE_lpathconf AUE_LPATHCONF #define SYS_AUE_hrl AUE_NULL +#define SYS_AUE_getloginclass AUE_NULL +#define SYS_AUE_setloginclass AUE_NULL #undef PAD_ #undef PADL_ ==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 (text+ko) ==== @@ -55,6 +55,8 @@ .Fl P .Op Ar user .Nm +.Fl c +.Nm .Fl g Op Fl nr .Op Ar user .Nm @@ -93,6 +95,8 @@ Ignored for compatibility with other .Nm implementations. +.It Fl c +Display current login class. .It Fl g Display the effective group ID as a number. .It Fl n ==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 (text+ko) ==== @@ -78,11 +78,13 @@ struct group *gr; struct passwd *pw; int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag; - int Aflag; + int Aflag, cflag; + int error; const char *myname; + char loginclass[MAXLOGNAME]; Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0; - Aflag = 0; + Aflag = cflag = 0; myname = strrchr(argv[0], '/'); myname = (myname != NULL) ? myname + 1 : argv[0]; @@ -96,7 +98,7 @@ } while ((ch = getopt(argc, argv, - (isgroups || iswhoami) ? "" : "APGMagnpru")) != -1) + (isgroups || iswhoami) ? "" : "APGMacgnpru")) != -1) switch(ch) { #ifdef USE_BSM_AUDIT case 'A': @@ -114,6 +116,9 @@ break; case 'a': break; + case 'c': + cflag = 1; + break; case 'g': gflag = 1; break; @@ -162,6 +167,14 @@ } #endif + if (cflag) { + error = getloginclass(loginclass, sizeof(loginclass)); + if (error) + err(1, "loginclass"); + (void)printf("%s\n", loginclass); + exit(0); + } + if (gflag) { id = pw ? pw->pw_gid : rflag ? getgid() : getegid(); if (nflag && (gr = getgrgid(id)))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907280709.n6S79k9X018962>