PERFORCE change 166666 for review
Edward Tomasz Napierala
trasz at FreeBSD.org
Tue Jul 28 07:09:48 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=166666
Change 166666 by trasz at trasz_victim on 2009/07/28 07:09:32
Add setlogin(2), so that login(1) (and other programs using
setusercontext(3)) can inform the kernel about login class,
which is required for HRL rules with 'class' subject to work.
'id -c' may be used to display the current login class.
Affected files ...
.. //depot/projects/soc2009/trasz_limits/include/unistd.h#4 edit
.. //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 edit
.. //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 edit
.. //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 edit
.. //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/conf/files#13 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_loginclass.c#1 add
.. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 edit
.. //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 edit
.. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 edit
.. //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 edit
Differences ...
==== //depot/projects/soc2009/trasz_limits/include/unistd.h#4 (text+ko) ====
@@ -503,6 +503,7 @@
char *fflagstostr(u_long);
int getdomainname(char *, int);
int getgrouplist(const char *, gid_t, gid_t *, int *);
+int getloginclass(char *, size_t);
mode_t getmode(const void *, mode_t);
int getosreldate(void);
int getpeereid(int, uid_t *, gid_t *);
@@ -562,6 +563,7 @@
#define _SETKEY_DECLARED
#endif
int setlogin(const char *);
+int setloginclass(const char *);
void *setmode(const char *);
void setproctitle(const char *_fmt, ...) __printf0like(1, 2);
int setresgid(gid_t, gid_t, gid_t);
==== //depot/projects/soc2009/trasz_limits/lib/libc/sys/Symbol.map#8 (text) ====
@@ -341,6 +341,7 @@
fexecve;
fstatat;
futimesat;
+ getloginclass;
jail_get;
jail_set;
jail_remove;
@@ -354,6 +355,7 @@
readlinkat;
renameat;
setfib;
+ setloginclass;
shmctl;
symlinkat;
unlinkat;
==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_cap.h#2 (text+ko) ====
@@ -49,7 +49,8 @@
#define LOGIN_SETENV 0x0080 /* set user environment */
#define LOGIN_SETMAC 0x0100 /* set user default MAC label */
#define LOGIN_SETCPUMASK 0x0200 /* set user cpumask */
-#define LOGIN_SETALL 0x03ff /* set everything */
+#define LOGIN_SETLOGINCLASS 0x0400 /* set login class in the kernel */
+#define LOGIN_SETALL 0x07ff /* set everything */
#define BI_AUTH "authorize" /* accepted authentication */
#define BI_REJECT "reject" /* rejected authentication */
==== //depot/projects/soc2009/trasz_limits/lib/libutil/login_class.c#3 (text+ko) ====
@@ -512,6 +512,18 @@
return (-1);
}
+ if (lc != NULL && lc->lc_class != NULL) {
+ /* Inform the kernel about current login class */
+ if ((flags & LOGIN_SETLOGINCLASS) &&
+ setloginclass(lc->lc_class) != 0) {
+ syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
+#ifdef notyet
+ login_close(llc);
+ return (-1);
+#endif
+ }
+ }
+
mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0;
mymask = setlogincontext(lc, pwd, mymask, flags);
login_close(llc);
==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_proto.h#5 (text+ko) ====
@@ -2,8 +2,8 @@
* System call prototypes.
*
* DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_proto.h,v 1.106 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp
*/
#ifndef _FREEBSD32_SYSPROTO_H_
@@ -453,6 +453,13 @@
char cmd_l_[PADL_(int)]; int cmd; char cmd_r_[PADR_(int)];
char buf_l_[PADL_(struct shmid_ds32 *)]; struct shmid_ds32 * buf; char buf_r_[PADR_(struct shmid_ds32 *)];
};
+struct hrl_args {
+ char op_l_[PADL_(int)]; int op; char op_r_[PADR_(int)];
+ char inbufp_l_[PADL_(const void)]; const void inbufp; char inbufp_r_[PADR_(const void)];
+ char inbuflen_l_[PADL_(size_t *)]; size_t * inbuflen; char inbuflen_r_[PADR_(size_t *)];
+ char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)];
+ char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)];
+};
int freebsd32_wait4(struct thread *, struct freebsd32_wait4_args *);
int freebsd32_recvmsg(struct thread *, struct freebsd32_recvmsg_args *);
int freebsd32_sendmsg(struct thread *, struct freebsd32_sendmsg_args *);
@@ -536,6 +543,7 @@
int freebsd32_semctl(struct thread *, struct freebsd32_semctl_args *);
int freebsd32_msgctl(struct thread *, struct freebsd32_msgctl_args *);
int freebsd32_shmctl(struct thread *, struct freebsd32_shmctl_args *);
+int hrl(struct thread *, struct hrl_args *);
#ifdef COMPAT_43
@@ -814,6 +822,7 @@
#define FREEBSD32_SYS_AUE_freebsd32_semctl AUE_SEMCTL
#define FREEBSD32_SYS_AUE_freebsd32_msgctl AUE_MSGCTL
#define FREEBSD32_SYS_AUE_freebsd32_shmctl AUE_SHMCTL
+#define FREEBSD32_SYS_AUE_hrl AUE_NULL
#undef PAD_
#undef PADL_
==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscall.h#5 (text+ko) ====
@@ -2,8 +2,8 @@
* System call numbers.
*
* DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscall.h,v 1.105 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp
*/
#define FREEBSD32_SYS_syscall 0
@@ -382,4 +382,7 @@
#define FREEBSD32_SYS_freebsd32_msgctl 511
#define FREEBSD32_SYS_freebsd32_shmctl 512
#define FREEBSD32_SYS_lpathconf 513
-#define FREEBSD32_SYS_MAXSYSCALL 514
+#define FREEBSD32_SYS_hrl 514
+#define FREEBSD32_SYS_getloginclass 515
+#define FREEBSD32_SYS_setloginclass 516
+#define FREEBSD32_SYS_MAXSYSCALL 517
==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_syscalls.c#5 (text+ko) ====
@@ -2,8 +2,8 @@
* System call names.
*
* DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_syscalls.c,v 1.96 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp
*/
const char *freebsd32_syscallnames[] = {
@@ -521,4 +521,7 @@
"freebsd32_msgctl", /* 511 = freebsd32_msgctl */
"freebsd32_shmctl", /* 512 = freebsd32_shmctl */
"lpathconf", /* 513 = lpathconf */
+ "hrl", /* 514 = hrl */
+ "getloginclass", /* 515 = getloginclass */
+ "setloginclass", /* 516 = setloginclass */
};
==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/freebsd32_sysent.c#6 (text+ko) ====
@@ -2,8 +2,8 @@
* System call switch table.
*
* DO NOT EDIT-- this file is automatically generated.
- * $FreeBSD: src/sys/compat/freebsd32/freebsd32_sysent.c,v 1.107 2009/07/08 16:30:34 trasz Exp $
- * created from FreeBSD: head/sys/compat/freebsd32/syscalls.master 195468 2009-07-08 16:26:43Z trasz
+ * $FreeBSD$
+ * created from FreeBSD: src/sys/compat/freebsd32/syscalls.master,v 1.123 2009/07/08 16:26:43 trasz Exp
*/
#include "opt_compat.h"
@@ -558,4 +558,7 @@
{ AS(freebsd32_msgctl_args), (sy_call_t *)freebsd32_msgctl, AUE_MSGCTL, NULL, 0, 0, 0 }, /* 511 = freebsd32_msgctl */
{ AS(freebsd32_shmctl_args), (sy_call_t *)freebsd32_shmctl, AUE_SHMCTL, NULL, 0, 0, 0 }, /* 512 = freebsd32_shmctl */
{ AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 }, /* 513 = lpathconf */
+ { AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 }, /* 514 = hrl */
+ { AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 515 = getloginclass */
+ { AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 516 = setloginclass */
};
==== //depot/projects/soc2009/trasz_limits/sys/compat/freebsd32/syscalls.master#7 (text+ko) ====
@@ -902,3 +902,6 @@
struct shmid_ds32 *buf); }
513 AUE_LPATHCONF NOPROTO { int lpathconf(char *path, int name); }
514 AUE_NULL STD { int hrl(int op, const void inbufp, size_t *inbuflen, void *outbufp, size_t outbuflen); }
+515 AUE_NULL NOPROTO { int getloginclass(char *namebuf, size_t \
+ namelen); }
+516 AUE_NULL NOPROTO { int setloginclass(const char *namebuf); }
==== //depot/projects/soc2009/trasz_limits/sys/conf/files#13 (text+ko) ====
@@ -1958,6 +1958,7 @@
kern/kern_lock.c standard
kern/kern_lockf.c standard
kern/kern_lockstat.c optional kdtrace_hooks
+kern/kern_loginclass.c standard
kern/kern_malloc.c standard
kern/kern_mbuf.c standard
kern/kern_mib.c standard
==== //depot/projects/soc2009/trasz_limits/sys/kern/init_sysent.c#8 (text+ko) ====
@@ -549,4 +549,6 @@
{ AS(shmctl_args), (sy_call_t *)lkmressys, AUE_NULL, NULL, 0, 0, 0 }, /* 512 = shmctl */
{ AS(lpathconf_args), (sy_call_t *)lpathconf, AUE_LPATHCONF, NULL, 0, 0, 0 }, /* 513 = lpathconf */
{ AS(hrl_args), (sy_call_t *)hrl, AUE_NULL, NULL, 0, 0, 0 }, /* 514 = hrl */
+ { AS(getloginclass_args), (sy_call_t *)getloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 515 = getloginclass */
+ { AS(setloginclass_args), (sy_call_t *)setloginclass, AUE_NULL, NULL, 0, 0, 0 }, /* 516 = setloginclass */
};
==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.c#7 (text+ko) ====
@@ -522,4 +522,6 @@
"shmctl", /* 512 = shmctl */
"lpathconf", /* 513 = lpathconf */
"hrl", /* 514 = hrl */
+ "getloginclass", /* 515 = getloginclass */
+ "setloginclass", /* 516 = setloginclass */
};
==== //depot/projects/soc2009/trasz_limits/sys/kern/syscalls.master#7 (text+ko) ====
@@ -912,5 +912,8 @@
struct shmid_ds *buf); }
513 AUE_LPATHCONF STD { int lpathconf(char *path, int name); }
514 AUE_NULL STD { int hrl(int op, const void *inbufp, size_t inbuflen, void *outbufp, size_t outbuflen); }
+515 AUE_NULL STD { int getloginclass(char *namebuf, size_t \
+ namelen); }
+516 AUE_NULL STD { int setloginclass(const char *namebuf); }
; Please copy any additions and changes to the following compatability tables:
; sys/compat/freebsd32/syscalls.master
==== //depot/projects/soc2009/trasz_limits/sys/kern/systrace_args.c#7 (text+ko) ====
@@ -3083,6 +3083,21 @@
*n_args = 5;
break;
}
+ /* getloginclass */
+ case 515: {
+ struct getloginclass_args *p = params;
+ uarg[0] = (intptr_t) p->namebuf; /* char * */
+ uarg[1] = p->namelen; /* size_t */
+ *n_args = 2;
+ break;
+ }
+ /* setloginclass */
+ case 516: {
+ struct setloginclass_args *p = params;
+ uarg[0] = (intptr_t) p->namebuf; /* const char * */
+ *n_args = 1;
+ break;
+ }
default:
*n_args = 0;
break;
@@ -8187,6 +8202,29 @@
break;
};
break;
+ /* getloginclass */
+ case 515:
+ switch(ndx) {
+ case 0:
+ p = "char *";
+ break;
+ case 1:
+ p = "size_t";
+ break;
+ default:
+ break;
+ };
+ break;
+ /* setloginclass */
+ case 516:
+ switch(ndx) {
+ case 0:
+ p = "const char *";
+ break;
+ default:
+ break;
+ };
+ break;
default:
break;
};
==== //depot/projects/soc2009/trasz_limits/sys/sys/hrl.h#23 (text+ko) ====
@@ -115,9 +115,9 @@
};
/*
- * 'hrl_limit' is used to link a subject with rules that apply
- * to it. This way we don't have to search the whole HRL rules
- * tree to enforce the limits.
+ * 'hrl_limit' connects rule with every subject it's related to.
+ * For example, rule 'user:X:openfiles:deny=N/process' is linked
+ * with uidinfo for user X, and to each process of that user.
*/
struct hrl_limit {
LIST_ENTRY(hrl_limit) hl_next;
==== //depot/projects/soc2009/trasz_limits/sys/sys/priv.h#8 (text+ko) ====
@@ -156,6 +156,7 @@
#define PRIV_PROC_LIMIT 160 /* Exceed user process limit. */
#define PRIV_PROC_SETLOGIN 161 /* Can call setlogin. */
#define PRIV_PROC_SETRLIMIT 162 /* Can raise resources limits. */
+#define PRIV_PROC_SETLOGINCLASS 163 /* Can call setloginclass(2). */
/* System V IPC privileges.
*/
==== //depot/projects/soc2009/trasz_limits/sys/sys/proc.h#9 (text+ko) ====
@@ -171,6 +171,7 @@
struct kdtrace_proc;
struct kdtrace_thread;
struct cpuset;
+struct loginclass;
/*
* Kernel runnable context (thread).
@@ -531,6 +532,7 @@
rlim_t p_cpulimit; /* (c) Current CPU limit in seconds. */
signed char p_nice; /* (c) Process "nice" value. */
int p_fibnum; /* in this routing domain XXX MRT */
+ struct loginclass *p_loginclass; /* (c) login class */
/* End area that is copied on creation. */
#define p_endcopy p_xstat
@@ -876,6 +878,8 @@
struct thread *thread_find(struct proc *p, lwpid_t tid);
void thr_exit1(void);
+struct loginclass *loginclass_find(const char *name);
+
#endif /* _KERNEL */
#endif /* !_SYS_PROC_H_ */
==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.h#7 (text+ko) ====
@@ -429,4 +429,6 @@
#define SYS_shmctl 512
#define SYS_lpathconf 513
#define SYS_hrl 514
-#define SYS_MAXSYSCALL 515
+#define SYS_getloginclass 515
+#define SYS_setloginclass 516
+#define SYS_MAXSYSCALL 517
==== //depot/projects/soc2009/trasz_limits/sys/sys/syscall.mk#7 (text+ko) ====
@@ -377,4 +377,6 @@
msgctl.o \
shmctl.o \
lpathconf.o \
- hrl.o
+ hrl.o \
+ getloginclass.o \
+ setloginclass.o
==== //depot/projects/soc2009/trasz_limits/sys/sys/sysproto.h#7 (text+ko) ====
@@ -1648,6 +1648,13 @@
char outbufp_l_[PADL_(void *)]; void * outbufp; char outbufp_r_[PADR_(void *)];
char outbuflen_l_[PADL_(size_t)]; size_t outbuflen; char outbuflen_r_[PADR_(size_t)];
};
+struct getloginclass_args {
+ char namebuf_l_[PADL_(char *)]; char * namebuf; char namebuf_r_[PADR_(char *)];
+ char namelen_l_[PADL_(size_t)]; size_t namelen; char namelen_r_[PADR_(size_t)];
+};
+struct setloginclass_args {
+ char namebuf_l_[PADL_(const char *)]; const char * namebuf; char namebuf_r_[PADR_(const char *)];
+};
int nosys(struct thread *, struct nosys_args *);
void sys_exit(struct thread *, struct sys_exit_args *);
int fork(struct thread *, struct fork_args *);
@@ -2007,6 +2014,8 @@
int shmctl(struct thread *, struct shmctl_args *);
int lpathconf(struct thread *, struct lpathconf_args *);
int hrl(struct thread *, struct hrl_args *);
+int getloginclass(struct thread *, struct getloginclass_args *);
+int setloginclass(struct thread *, struct setloginclass_args *);
#ifdef COMPAT_43
@@ -2680,6 +2689,8 @@
#define SYS_AUE_shmctl AUE_SHMCTL
#define SYS_AUE_lpathconf AUE_LPATHCONF
#define SYS_AUE_hrl AUE_NULL
+#define SYS_AUE_getloginclass AUE_NULL
+#define SYS_AUE_setloginclass AUE_NULL
#undef PAD_
#undef PADL_
==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.1#2 (text+ko) ====
@@ -55,6 +55,8 @@
.Fl P
.Op Ar user
.Nm
+.Fl c
+.Nm
.Fl g Op Fl nr
.Op Ar user
.Nm
@@ -93,6 +95,8 @@
Ignored for compatibility with other
.Nm
implementations.
+.It Fl c
+Display current login class.
.It Fl g
Display the effective group ID as a number.
.It Fl n
==== //depot/projects/soc2009/trasz_limits/usr.bin/id/id.c#3 (text+ko) ====
@@ -78,11 +78,13 @@
struct group *gr;
struct passwd *pw;
int Gflag, Mflag, Pflag, ch, gflag, id, nflag, pflag, rflag, uflag;
- int Aflag;
+ int Aflag, cflag;
+ int error;
const char *myname;
+ char loginclass[MAXLOGNAME];
Gflag = Mflag = Pflag = gflag = nflag = pflag = rflag = uflag = 0;
- Aflag = 0;
+ Aflag = cflag = 0;
myname = strrchr(argv[0], '/');
myname = (myname != NULL) ? myname + 1 : argv[0];
@@ -96,7 +98,7 @@
}
while ((ch = getopt(argc, argv,
- (isgroups || iswhoami) ? "" : "APGMagnpru")) != -1)
+ (isgroups || iswhoami) ? "" : "APGMacgnpru")) != -1)
switch(ch) {
#ifdef USE_BSM_AUDIT
case 'A':
@@ -114,6 +116,9 @@
break;
case 'a':
break;
+ case 'c':
+ cflag = 1;
+ break;
case 'g':
gflag = 1;
break;
@@ -162,6 +167,14 @@
}
#endif
+ if (cflag) {
+ error = getloginclass(loginclass, sizeof(loginclass));
+ if (error)
+ err(1, "loginclass");
+ (void)printf("%s\n", loginclass);
+ exit(0);
+ }
+
if (gflag) {
id = pw ? pw->pw_gid : rflag ? getgid() : getegid();
if (nflag && (gr = getgrgid(id)))
More information about the p4-projects
mailing list