PERFORCE change 231269 for review

Robert Watson rwatson at FreeBSD.org
Thu Jul 18 22:54:41 UTC 2013 

http://p4web.freebsd.org/@@231269?ac=10

Change 231269 by rwatson at rwatson_cinnamon on 2013/07/18 22:53:40

	When a credential is changed, it's OK if setsugid() is set before
	the change rather than after, since it's a process rather than
	credential property.  This fixes a TESLA false positive in execve()
	in which setsugid() is called once up-front if the credential will
	be modified by at least one if setuid, setgid, etc, rather than
	after as occurs in the system calls setuid(), setgid(), and so on.

Affected files ...

.. //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#3 edit

Differences ...

==== //depot/projects/ctsrd/tesla/src/sys/kern/kern_prot.c#3 (text+ko) ====

@@ -2156,7 +2156,8 @@
 	    == 0) ||
 	    previously(mac_cred_check_setresuid(ANY(ptr), ANY(int), euid,
 	    ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 
 	newcred->cr_uid = euid;
 	uihold(euip);
@@ -2180,7 +2181,8 @@
 	    == 0) ||
 	    previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), egid,
 	    ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 	
 	newcred->cr_groups[0] = egid;
 }
@@ -2204,7 +2206,8 @@
 	    == 0) ||
 	    previously(mac_cred_check_setresuid(ANY(ptr), ruid, ANY(int),
 	    ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 
 	(void)chgproccnt(newcred->cr_ruidinfo, -1, 0);
 	newcred->cr_ruid = ruid;
@@ -2230,7 +2233,8 @@
 	    == 0) ||
 	    previously(mac_cred_check_setresgid(ANY(ptr), rgid, ANY(int),
 	    ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 	
 	newcred->cr_rgid = rgid;
 }
@@ -2251,7 +2255,8 @@
 	    ANY(int)) == 0) ||
 	    previously(mac_cred_check_setresuid(ANY(ptr), ANY(int),
 	    ANY(int), ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 
 	newcred->cr_svuid = svuid;
 }
@@ -2272,7 +2277,8 @@
 	    == 0) ||
 	    previously(mac_cred_check_setresgid(ANY(ptr), ANY(int), ANY(int),
 	    ANY(int)) == 0));
-	TESLA_SYSCALL(eventually(called(setsugid)));
+	TESLA_SYSCALL(previously(called(setsugid)) ||
+	    eventually(called(setsugid)));
 	
 	newcred->cr_svgid = svgid;
 }

More information about the p4-projects mailing list