Page MenuHomeFreeBSD
Differential D35372 Diff 108301 sys/security/mac_ddb/mac_ddb.c

Changeset View

Standalone View

View Options

sys/security/mac_ddb/mac_ddb.c

Show All 23 Lines
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
#include <sys/param.h> #include <sys/param.h>
#include <sys/jail.h>
#include <sys/kdb.h> #include <sys/kdb.h>
#include <sys/module.h> #include <sys/module.h>
#include <sys/mount.h>
#include <sys/proc.h> #include <sys/proc.h>
#include <sys/queue.h>
#include <sys/rman.h>
#include <sys/sysctl.h> #include <sys/sysctl.h>
#include <net/vnet.h>
#include <ddb/ddb.h> #include <ddb/ddb.h>
#include <ddb/db_command.h> #include <ddb/db_command.h>
#include <security/mac/mac_policy.h> #include <security/mac/mac_policy.h>
/* /*
* This module provides a limited interface to the ddb(4) kernel debugger. The * This module provides a limited interface to the ddb(4) kernel debugger. The
* intent is to allow execution of useful debugging commands while disallowing * intent is to allow execution of useful debugging commands while disallowing
Show All 17 Lines
*/ */
#define DB_CMD_VALIDATE DB_MAC1 #define DB_CMD_VALIDATE DB_MAC1
typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count, typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count,
char *modif); char *modif);
static db_validation_fn_t db_thread_valid; static db_validation_fn_t db_thread_valid;
static db_validation_fn_t db_show_ffs_valid;
static db_validation_fn_t db_show_prison_valid;
static db_validation_fn_t db_show_proc_valid;
static db_validation_fn_t db_show_rman_valid;
static db_validation_fn_t db_show_vnet_valid;
struct cmd_list_item { struct cmd_list_item {
const char *name; const char *name;
db_validation_fn_t *validate_fn; db_validation_fn_t *validate_fn;
}; };
/* List of top-level ddb(4) commands which are allowed by this policy. */ /* List of top-level ddb(4) commands which are allowed by this policy. */
static const struct cmd_list_item command_list[] = { static const struct cmd_list_item command_list[] = {
{ "thread", db_thread_valid }, { "thread", db_thread_valid },
}; };
/* List of ddb(4) 'show' commands which are allowed by this policy. */ /* List of ddb(4) 'show' commands which are allowed by this policy. */
static const struct cmd_list_item show_command_list[] = { static const struct cmd_list_item show_command_list[] = {
{ "ffs", db_show_ffs_valid },
{ "prison", db_show_prison_valid },
{ "proc", db_show_proc_valid },
{ "rman", db_show_rman_valid },
{ "thread", db_thread_valid }, { "thread", db_thread_valid },
{ "vnet", db_show_vnet_valid },
}; };
static int static int
db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
{ {
struct thread *thr; struct thread *thr;
lwpid_t tid; lwpid_t tid;
/* Default will show the current proc. */ /* Default will show the current proc. */
if (!have_addr) if (!have_addr)
return (0); return (0);
/* Validate the provided addr OR tid against the thread list. */ /* Validate the provided addr OR tid against the thread list. */
tid = db_hex2dec(addr); tid = db_hex2dec(addr);
for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) { for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) {
if ((void *)thr == (void *)addr || tid == thr->td_tid) if ((void *)thr == (void *)addr || tid == thr->td_tid)
return (0);
}
return (EACCES);
}
static int
db_show_ffs_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
{
struct mount *mp;
/* No addr will show all mounts. */
if (!have_addr)
return (0);
TAILQ_FOREACH(mp, &mountlist, mnt_list)
if ((void *)mp == (void *)addr)
return (0);
return (EACCES);
}
static int
db_show_prison_valid(db_expr_t addr, bool have_addr, db_expr_t count,
char *modif)
{
struct prison *pr;
int pr_id;
if (!have_addr || addr == 0)
return (0);
/* prison can match by pointer address or ID. */
pr_id = (int)addr;
TAILQ_FOREACH(pr, &allprison, pr_list)
if (pr->pr_id == pr_id || (void *)pr == (void *)addr)
return (0);
return (EACCES);
}
static int
db_show_proc_valid(db_expr_t addr, bool have_addr, db_expr_t count,
char *modif)
{
struct proc *p;
int i;
/* Default will show the current proc. */
if (!have_addr)
return (0);
for (i = 0; i <= pidhash; i++) {
LIST_FOREACH(p, &pidhashtbl[i], p_hash) {
if ((void *)p == (void *)addr)
return (0);
}
}
return (EACCES);
}
static int
db_show_rman_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
{
struct rman *rm;
TAILQ_FOREACH(rm, &rman_head, rm_link) {
if ((void *)rm == (void *)rm)
return (0);
}
return (EACCES);
}
static int
db_show_vnet_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif)
{
VNET_ITERATOR_DECL(vnet);
if (!have_addr)
return (0);
VNET_FOREACH(vnet) {
if ((void *)vnet == (void *)addr)
return (0); return (0);
} }
return (EACCES); return (EACCES);
} }
static int static int
command_match(struct db_command *cmd, struct cmd_list_item item) command_match(struct db_command *cmd, struct cmd_list_item item)
▲ Show 20 LinesShow All 159 LinesShow Last 20 Lines