PERFORCE change 79535 for review
Robert Watson
rwatson at FreeBSD.org
Mon Jul 4 11:15:51 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=79535
Change 79535 by rwatson at rwatson_paprika on 2005/07/04 11:15:16
On amd64, check access to /dev/io against CAP_SYS_RAWIO.
On amd64, use CAP_SYS_RAWIO to control access to setting user space
debugging registers on kernel addresses. However, it strikes me
that this should likely be entirely disallowed.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/io.c#2 edit
.. //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/machdep.c#11 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/io.c#2 (text+ko) ====
@@ -28,6 +28,7 @@
__FBSDID("$FreeBSD: src/sys/amd64/amd64/io.c,v 1.1 2004/08/01 11:40:50 markm Exp $");
#include <sys/param.h>
+#include <sys/capability.h>
#include <sys/conf.h>
#include <sys/fcntl.h>
#include <sys/lock.h>
@@ -54,7 +55,7 @@
{
int error;
- error = suser(td);
+ error = cap_check(td, CAP_SYS_RAWIO);
if (error != 0)
return (error);
error = securelevel_gt(td->td_ucred, 0);
==== //depot/projects/trustedbsd/sebsd/sys/amd64/amd64/machdep.c#11 (text+ko) ====
@@ -1726,9 +1726,12 @@
* address space is written into from within the kernel
* ... wouldn't that still cause a breakpoint to be generated
* from within kernel mode?
+ *
+ * XXXRW: Should we allow privileged user processes to do
+ * this at all?
*/
- if (suser(td) != 0) {
+ if (cap_check(td, CAP_SYS_RAWIO) != 0) {
if (dbregs->dr[7] & 0x3) {
/* dr0 is enabled */
if (dbregs->dr[0] >= VM_MAXUSER_ADDRESS)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list