Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Nov 2012 10:38:11 +0000 (UTC)
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r243613 - head/sys/kern
Message-ID:  <201211271038.qARAcBeX044425@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: pjd
Date: Tue Nov 27 10:38:11 2012
New Revision: 243613
URL: http://svnweb.freebsd.org/changeset/base/243613

Log:
  Add kern.capmode_coredump sysctl/tunable to allow processes in capability mode
  to dump core.
  
  Reviewed by:	rwatson
  Obtained from:	WHEEL Systems
  MFC after:	2 weeks

Modified:
  head/sys/kern/kern_sig.c

Modified: head/sys/kern/kern_sig.c
==============================================================================
--- head/sys/kern/kern_sig.c	Tue Nov 27 10:32:35 2012	(r243612)
+++ head/sys/kern/kern_sig.c	Tue Nov 27 10:38:11 2012	(r243613)
@@ -175,6 +175,11 @@ TUNABLE_INT("kern.sugid_coredump", &sugi
 SYSCTL_INT(_kern, OID_AUTO, sugid_coredump, CTLFLAG_RW,
     &sugid_coredump, 0, "Allow setuid and setgid processes to dump core");
 
+static int	capmode_coredump;
+TUNABLE_INT("kern.capmode_coredump", &capmode_coredump);
+SYSCTL_INT(_kern, OID_AUTO, capmode_coredump, CTLFLAG_RW,
+    &capmode_coredump, 0, "Allow processes in capability mode to dump core");
+
 static int	do_coredump = 1;
 SYSCTL_INT(_kern, OID_AUTO, coredump, CTLFLAG_RW,
 	&do_coredump, 0, "Enable/Disable coredumps");
@@ -3134,12 +3139,17 @@ nomem:
 		int error, n;
 		int flags = O_CREAT | O_EXCL | FWRITE | O_NOFOLLOW;
 		int cmode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP;
+		int oflags = 0;
+
+		if (capmode_coredump)
+			oflags = VN_OPEN_NOCAPCHECK;
 
 		for (n = 0; n < num_cores; n++) {
 			temp[indexpos] = '0' + n;
 			NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE,
 			    temp, td);
-			error = vn_open(&nd, &flags, cmode, NULL);
+			error = vn_open_cred(&nd, &flags, cmode, oflags,
+			    td->td_ucred, NULL);
 			if (error) {
 				if (error == EEXIST)
 					continue;
@@ -3241,7 +3251,8 @@ coredump(struct thread *td)
 restart:
 	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, td);
 	flags = O_CREAT | FWRITE | O_NOFOLLOW;
-	error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR, VN_OPEN_NOAUDIT,
+	error = vn_open_cred(&nd, &flags, S_IRUSR | S_IWUSR,
+	    VN_OPEN_NOAUDIT | (capmode_coredump ? VN_OPEN_NOCAPCHECK : 0),
 	    cred, NULL);
 	if (error) {
 #ifdef AUDIT

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211271038.qARAcBeX044425>