Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F97419507
D28154.id82261.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
4 KB
Referenced Files
None
Subscribers
None
D28154.id82261.diff
View Options
diff --git a/sys/amd64/linux/linux_sysvec.c b/sys/amd64/linux/linux_sysvec.c
--- a/sys/amd64/linux/linux_sysvec.c
+++ b/sys/amd64/linux/linux_sysvec.c
@@ -783,6 +783,7 @@
.sv_onexec = linux_on_exec,
.sv_onexit = linux_on_exit,
.sv_ontdexit = linux_thread_dtor,
+ .sv_setid_allowed = &linux_setid_allowed_query,
};
static void
diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c
--- a/sys/amd64/linux32/linux32_sysvec.c
+++ b/sys/amd64/linux32/linux32_sysvec.c
@@ -928,6 +928,7 @@
.sv_onexec = linux_on_exec,
.sv_onexit = linux_on_exit,
.sv_ontdexit = linux_thread_dtor,
+ .sv_setid_allowed = &linux_setid_allowed_query,
};
static void
diff --git a/sys/arm64/linux/linux_sysvec.c b/sys/arm64/linux/linux_sysvec.c
--- a/sys/arm64/linux/linux_sysvec.c
+++ b/sys/arm64/linux/linux_sysvec.c
@@ -422,6 +422,7 @@
.sv_onexec = linux_on_exec,
.sv_onexit = linux_on_exit,
.sv_ontdexit = linux_thread_dtor,
+ .sv_setid_allowed = &linux_setid_allowed_query,
};
static void
diff --git a/sys/compat/linux/linux_mib.h b/sys/compat/linux/linux_mib.h
--- a/sys/compat/linux/linux_mib.h
+++ b/sys/compat/linux/linux_mib.h
@@ -70,4 +70,7 @@
extern int linux_preserve_vstatus;
extern bool linux_map_sched_prio;
+struct image_params;
+bool linux_setid_allowed_query(struct thread *td, struct image_params *imgp);
+
#endif /* _LINUX_MIB_H_ */
diff --git a/sys/compat/linux/linux_mib.c b/sys/compat/linux/linux_mib.c
--- a/sys/compat/linux/linux_mib.c
+++ b/sys/compat/linux/linux_mib.c
@@ -99,6 +99,18 @@
SYSCTL_INT(_compat_linux, OID_AUTO, use_emul_path, CTLFLAG_RWTUN,
&linux_use_emul_path, 0, "Use linux.compat.emul_path");
+static bool linux_setid_allowed = false;
+SYSCTL_BOOL(_compat_linux, OID_AUTO, setid_allowed, CTLFLAG_RWTUN,
+ &linux_setid_allowed, 0,
+ "Allow setuid/setgid on execve of Linux binary");
+
+bool
+linux_setid_allowed_query(struct thread *td __unused,
+ struct image_params *imgp __unused)
+{
+ return (linux_setid_allowed);
+}
+
static int linux_set_osname(struct thread *td, char *osname);
static int linux_set_osrelease(struct thread *td, char *osrelease);
static int linux_set_oss_version(struct thread *td, int oss_version);
diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c
--- a/sys/i386/linux/linux_sysvec.c
+++ b/sys/i386/linux/linux_sysvec.c
@@ -871,6 +871,7 @@
.sv_onexec = linux_on_exec,
.sv_onexit = linux_on_exit,
.sv_ontdexit = linux_thread_dtor,
+ .sv_setid_allowed = &linux_setid_allowed_query,
};
INIT_SYSENTVEC(aout_sysvec, &linux_sysvec);
@@ -908,6 +909,7 @@
.sv_onexec = linux_on_exec,
.sv_onexit = linux_on_exit,
.sv_ontdexit = linux_thread_dtor,
+ .sv_setid_allowed = &linux_setid_allowed_query,
};
static void
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -353,6 +353,16 @@
return (do_execve(td, args, mac_p, oldvmspace));
}
+static void
+execve_nosetid(struct image_params *imgp)
+{
+ imgp->credential_setid = false;
+ if (imgp->newcred != NULL) {
+ crfree(imgp->newcred);
+ imgp->newcred = NULL;
+ }
+}
+
/*
* In-kernel implementation of execve(). All arguments are assumed to be
* userspace pointers from the passed thread.
@@ -639,11 +649,7 @@
vput(newtextvp);
vm_object_deallocate(imgp->object);
imgp->object = NULL;
- imgp->credential_setid = false;
- if (imgp->newcred != NULL) {
- crfree(imgp->newcred);
- imgp->newcred = NULL;
- }
+ execve_nosetid(imgp);
imgp->execpath = NULL;
free(imgp->freepath, M_TEMP);
imgp->freepath = NULL;
@@ -768,6 +774,10 @@
signotify(td);
}
+ if (imgp->sysent->sv_setid_allowed != NULL &&
+ !(*imgp->sysent->sv_setid_allowed)(td, imgp))
+ execve_nosetid(imgp);
+
/*
* Implement image setuid/setgid installation.
*/
diff --git a/sys/sys/sysent.h b/sys/sys/sysent.h
--- a/sys/sys/sysent.h
+++ b/sys/sys/sysent.h
@@ -148,6 +148,8 @@
void (*sv_onexec)(struct proc *, struct image_params *);
void (*sv_onexit)(struct proc *);
void (*sv_ontdexit)(struct thread *td);
+ bool (*sv_setid_allowed)(struct thread *td,
+ struct image_params *imgp);
};
#define SV_ILP32 0x000100 /* 32-bit executable. */
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Sep 30, 5:12 AM (11 h, 45 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13169731
Default Alt Text
D28154.id82261.diff (4 KB)
Attached To
Mode
D28154: Add compat.linux.setid_allowed knob
Attached
Detach File
Event Timeline
Log In to Comment