FreeBSD kernel kern code
|
#include <sys/cdefs.h>
#include <sys/param.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/sx.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sdt.h>
#include <sys/sysctl.h>
#include <sys/systm.h>
#include <security/mac/mac_framework.h>
Go to the source code of this file.
Functions | |
__FBSDID ("$FreeBSD$") | |
static bool | suser_enabled (struct ucred *cred) |
static int | sysctl_kern_suser_enabled (SYSCTL_HANDLER_ARGS) |
SYSCTL_PROC (_security_bsd, OID_AUTO, suser_enabled, CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON|CTLFLAG_MPSAFE, 0, 0, &sysctl_kern_suser_enabled, "I", "Processes with uid 0 have privilege") | |
SYSCTL_INT (_security_bsd, OID_AUTO, unprivileged_mlock, CTLFLAG_RWTUN, &unprivileged_mlock, 0, "Allow non-root users to call mlock(2)") | |
SYSCTL_INT (_security_bsd, OID_AUTO, unprivileged_read_msgbuf, CTLFLAG_RW, &unprivileged_read_msgbuf, 0, "Unprivileged processes may read the kernel message buffer") | |
SDT_PROVIDER_DEFINE (priv) | |
SDT_PROBE_DEFINE1 (priv, kernel, priv_check, priv__ok, "int") | |
SDT_PROBE_DEFINE1 (priv, kernel, priv_check, priv__err, "int") | |
static __always_inline int | priv_check_cred_pre (struct ucred *cred, int priv) |
static __always_inline int | priv_check_cred_post (struct ucred *cred, int priv, int error, bool handled) |
int | priv_check_cred (struct ucred *cred, int priv) |
int | priv_check (struct thread *td, int priv) |
static int __noinline | priv_check_cred_vfs_lookup_slow (struct ucred *cred) |
int | priv_check_cred_vfs_lookup (struct ucred *cred) |
int | priv_check_cred_vfs_lookup_nomac (struct ucred *cred) |
static int __noinline | priv_check_cred_vfs_generation_slow (struct ucred *cred) |
int | priv_check_cred_vfs_generation (struct ucred *cred) |
Variables | |
static int | unprivileged_mlock = 1 |
static int | unprivileged_read_msgbuf = 1 |
__FBSDID | ( | "$FreeBSD$" | ) |
int priv_check | ( | struct thread * | td, |
int | priv | ||
) |
Definition at line 271 of file kern_priv.c.
References priv_check_cred().
Referenced by _falloc_noinstall(), _intr_event_bind(), cpuset_modify(), cpuset_modify_domain(), cpuset_setproc(), devctl2_ioctl(), do_lock_pp(), do_unlock_pp(), donice(), dumper_insert(), dumper_remove(), firmware_get_flags(), ipcperm(), kern_adjtime(), kern_clock_settime(), kern_fcntl(), kern_fhlinkat(), kern_fhopen(), kern_fhstat(), kern_fhstatfs(), kern_getfhat(), kern_jail_set(), kern_kldload(), kern_kldunload(), kern_linkat(), kern_mknodat(), kern_msgctl(), kern_ntp_adjtime(), kern_proc_setrlimit(), kern_settimeofday(), kern_unmount(), mqfs_setattr(), p_candebug(), p_cansched(), priv_check_cred_post(), protect_set(), setfflags(), sys_acct(), sys_chroot(), sys_fhreadlink(), sys_jail_attach(), sys_jail_remove(), sys_kenv(), sys_reboot(), sys_revoke(), sys_rtprio(), sys_rtprio_thread(), sys_setlogin(), sys_setloginclass(), sysctl_kern_msgbuf(), sysctl_root(), thread_create(), tty_generic_ioctl(), ttydev_open(), ttyil_ioctl(), vfs_domount(), vfs_suser(), and vn_io_fault().
int priv_check_cred | ( | struct ucred * | cred, |
int | priv | ||
) |
Definition at line 151 of file kern_priv.c.
References prison_allow(), prison_priv_check(), priv_check_cred_post(), priv_check_cred_pre(), priv_check_cred_vfs_generation(), priv_check_cred_vfs_lookup(), suser_enabled(), unprivileged_mlock, and unprivileged_read_msgbuf.
Referenced by can_hardlink(), cr_canseeothergids(), cr_canseeotheruids(), cr_cansignal(), do_unlink(), extattr_check_cred(), fork1(), kern_setgroups(), ksem_access(), ksem_chown(), mqf_chown(), priv_check(), shm_chown(), sys_setegid(), sys_seteuid(), sys_setgid(), sys_setregid(), sys_setresgid(), sys_setresuid(), sys_setreuid(), sys_setuid(), vaccess(), vaccess_acl_nfs4(), vaccess_acl_posix1e(), and vfs_domount_first().
|
static |
Definition at line 115 of file kern_priv.c.
References priv_check().
Referenced by priv_check_cred(), priv_check_cred_vfs_generation_slow(), and priv_check_cred_vfs_lookup_slow().
|
static |
Definition at line 102 of file kern_priv.c.
Referenced by priv_check_cred(), priv_check_cred_vfs_generation_slow(), and priv_check_cred_vfs_lookup_slow().
int priv_check_cred_vfs_generation | ( | struct ucred * | cred | ) |
Definition at line 355 of file kern_priv.c.
References priv_check_cred_vfs_generation_slow(), and suser_enabled().
Referenced by kern_do_statfs(), kern_getfsstat(), and priv_check_cred().
|
static |
Definition at line 330 of file kern_priv.c.
References priv_check_cred_post(), priv_check_cred_pre(), and suser_enabled().
Referenced by priv_check_cred_vfs_generation().
int priv_check_cred_vfs_lookup | ( | struct ucred * | cred | ) |
Definition at line 300 of file kern_priv.c.
References priv_check_cred_vfs_lookup_slow(), and suser_enabled().
Referenced by priv_check_cred().
int priv_check_cred_vfs_lookup_nomac | ( | struct ucred * | cred | ) |
Definition at line 315 of file kern_priv.c.
References suser_enabled().
Referenced by vaccess_vexec_smr().
|
static |
Definition at line 280 of file kern_priv.c.
References priv_check_cred_post(), priv_check_cred_pre(), and suser_enabled().
Referenced by priv_check_cred_vfs_lookup().
SDT_PROBE_DEFINE1 | ( | priv | , |
kernel | , | ||
priv_check | , | ||
priv__err | , | ||
"int" | |||
) |
SDT_PROBE_DEFINE1 | ( | priv | , |
kernel | , | ||
priv_check | , | ||
priv__ok | , | ||
"int" | |||
) |
SDT_PROVIDER_DEFINE | ( | priv | ) |
|
static |
Definition at line 63 of file kern_priv.c.
References prison_allow().
Referenced by priv_check_cred(), priv_check_cred_vfs_generation(), priv_check_cred_vfs_generation_slow(), priv_check_cred_vfs_lookup(), priv_check_cred_vfs_lookup_nomac(), priv_check_cred_vfs_lookup_slow(), and sysctl_kern_suser_enabled().
SYSCTL_INT | ( | _security_bsd | , |
OID_AUTO | , | ||
unprivileged_mlock | , | ||
CTLFLAG_RWTUN | , | ||
& | unprivileged_mlock, | ||
0 | , | ||
"Allow non-root users to call mlock(2)" | |||
) |
SYSCTL_INT | ( | _security_bsd | , |
OID_AUTO | , | ||
unprivileged_read_msgbuf | , | ||
CTLFLAG_RW | , | ||
& | unprivileged_read_msgbuf, | ||
0 | , | ||
"Unprivileged processes may read the kernel message buffer" | |||
) |
|
static |
Definition at line 70 of file kern_priv.c.
References prison_set_allow(), suser_enabled(), and sysctl_handle_int().
SYSCTL_PROC | ( | _security_bsd | , |
OID_AUTO | , | ||
suser_enabled | , | ||
CTLTYPE_INT|CTLFLAG_RWTUN|CTLFLAG_PRISON| | CTLFLAG_MPSAFE, | ||
0 | , | ||
0 | , | ||
& | sysctl_kern_suser_enabled, | ||
"I" | , | ||
"Processes with uid 0 have privilege" | |||
) |
|
static |
Definition at line 88 of file kern_priv.c.
Referenced by priv_check_cred().
|
static |
Definition at line 92 of file kern_priv.c.
Referenced by priv_check_cred().