Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac_ddb/mac_ddb.c
Show All 23 Lines | |||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | ||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | ||||
*/ | */ | ||||
#include <sys/param.h> | #include <sys/param.h> | ||||
#include <sys/jail.h> | |||||
#include <sys/kdb.h> | #include <sys/kdb.h> | ||||
#include <sys/module.h> | #include <sys/module.h> | ||||
#include <sys/mount.h> | |||||
#include <sys/proc.h> | #include <sys/proc.h> | ||||
#include <sys/queue.h> | |||||
#include <sys/rman.h> | |||||
#include <sys/sysctl.h> | #include <sys/sysctl.h> | ||||
#include <net/vnet.h> | |||||
#include <ddb/ddb.h> | #include <ddb/ddb.h> | ||||
#include <ddb/db_command.h> | #include <ddb/db_command.h> | ||||
#include <security/mac/mac_policy.h> | #include <security/mac/mac_policy.h> | ||||
/* | /* | ||||
* This module provides a limited interface to the ddb(4) kernel debugger. The | * This module provides a limited interface to the ddb(4) kernel debugger. The | ||||
* intent is to allow execution of useful debugging commands while disallowing | * intent is to allow execution of useful debugging commands while disallowing | ||||
Show All 17 Lines | |||||
*/ | */ | ||||
#define DB_CMD_VALIDATE DB_MAC1 | #define DB_CMD_VALIDATE DB_MAC1 | ||||
typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count, | typedef int db_validation_fn_t(db_expr_t addr, bool have_addr, db_expr_t count, | ||||
char *modif); | char *modif); | ||||
static db_validation_fn_t db_thread_valid; | static db_validation_fn_t db_thread_valid; | ||||
static db_validation_fn_t db_show_ffs_valid; | |||||
static db_validation_fn_t db_show_prison_valid; | |||||
static db_validation_fn_t db_show_proc_valid; | |||||
static db_validation_fn_t db_show_rman_valid; | |||||
static db_validation_fn_t db_show_vnet_valid; | |||||
struct cmd_list_item { | struct cmd_list_item { | ||||
const char *name; | const char *name; | ||||
db_validation_fn_t *validate_fn; | db_validation_fn_t *validate_fn; | ||||
}; | }; | ||||
/* List of top-level ddb(4) commands which are allowed by this policy. */ | /* List of top-level ddb(4) commands which are allowed by this policy. */ | ||||
static const struct cmd_list_item command_list[] = { | static const struct cmd_list_item command_list[] = { | ||||
{ "thread", db_thread_valid }, | { "thread", db_thread_valid }, | ||||
}; | }; | ||||
/* List of ddb(4) 'show' commands which are allowed by this policy. */ | /* List of ddb(4) 'show' commands which are allowed by this policy. */ | ||||
static const struct cmd_list_item show_command_list[] = { | static const struct cmd_list_item show_command_list[] = { | ||||
{ "ffs", db_show_ffs_valid }, | |||||
{ "prison", db_show_prison_valid }, | |||||
{ "proc", db_show_proc_valid }, | |||||
{ "rman", db_show_rman_valid }, | |||||
{ "thread", db_thread_valid }, | { "thread", db_thread_valid }, | ||||
{ "vnet", db_show_vnet_valid }, | |||||
}; | }; | ||||
static int | static int | ||||
db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) | db_thread_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) | ||||
{ | { | ||||
struct thread *thr; | struct thread *thr; | ||||
lwpid_t tid; | lwpid_t tid; | ||||
/* Default will show the current proc. */ | /* Default will show the current proc. */ | ||||
if (!have_addr) | if (!have_addr) | ||||
return (0); | return (0); | ||||
/* Validate the provided addr OR tid against the thread list. */ | /* Validate the provided addr OR tid against the thread list. */ | ||||
tid = db_hex2dec(addr); | tid = db_hex2dec(addr); | ||||
for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) { | for (thr = kdb_thr_first(); thr != NULL; thr = kdb_thr_next(thr)) { | ||||
if ((void *)thr == (void *)addr || tid == thr->td_tid) | if ((void *)thr == (void *)addr || tid == thr->td_tid) | ||||
return (0); | |||||
} | |||||
return (EACCES); | |||||
} | |||||
static int | |||||
db_show_ffs_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) | |||||
{ | |||||
struct mount *mp; | |||||
/* No addr will show all mounts. */ | |||||
if (!have_addr) | |||||
return (0); | |||||
TAILQ_FOREACH(mp, &mountlist, mnt_list) | |||||
if ((void *)mp == (void *)addr) | |||||
return (0); | |||||
return (EACCES); | |||||
} | |||||
static int | |||||
db_show_prison_valid(db_expr_t addr, bool have_addr, db_expr_t count, | |||||
char *modif) | |||||
{ | |||||
struct prison *pr; | |||||
int pr_id; | |||||
if (!have_addr || addr == 0) | |||||
return (0); | |||||
/* prison can match by pointer address or ID. */ | |||||
pr_id = (int)addr; | |||||
TAILQ_FOREACH(pr, &allprison, pr_list) | |||||
if (pr->pr_id == pr_id || (void *)pr == (void *)addr) | |||||
return (0); | |||||
return (EACCES); | |||||
} | |||||
static int | |||||
db_show_proc_valid(db_expr_t addr, bool have_addr, db_expr_t count, | |||||
char *modif) | |||||
{ | |||||
struct proc *p; | |||||
int i; | |||||
/* Default will show the current proc. */ | |||||
if (!have_addr) | |||||
return (0); | |||||
for (i = 0; i <= pidhash; i++) { | |||||
LIST_FOREACH(p, &pidhashtbl[i], p_hash) { | |||||
if ((void *)p == (void *)addr) | |||||
return (0); | |||||
} | |||||
} | |||||
return (EACCES); | |||||
} | |||||
static int | |||||
db_show_rman_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) | |||||
{ | |||||
struct rman *rm; | |||||
TAILQ_FOREACH(rm, &rman_head, rm_link) { | |||||
if ((void *)rm == (void *)rm) | |||||
return (0); | |||||
} | |||||
return (EACCES); | |||||
} | |||||
static int | |||||
db_show_vnet_valid(db_expr_t addr, bool have_addr, db_expr_t count, char *modif) | |||||
{ | |||||
VNET_ITERATOR_DECL(vnet); | |||||
if (!have_addr) | |||||
return (0); | |||||
VNET_FOREACH(vnet) { | |||||
if ((void *)vnet == (void *)addr) | |||||
return (0); | return (0); | ||||
} | } | ||||
return (EACCES); | return (EACCES); | ||||
} | } | ||||
static int | static int | ||||
command_match(struct db_command *cmd, struct cmd_list_item item) | command_match(struct db_command *cmd, struct cmd_list_item item) | ||||
▲ Show 20 Lines • Show All 159 Lines • Show Last 20 Lines |