PERFORCE change 108410 for review
Todd Miller
millert at FreeBSD.org
Wed Oct 25 12:11:06 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=108410
Change 108410 by millert at millert_macbook on 2006/10/25 19:10:13
Call mac_proc_check_debug() for ptrace() and task_for_pid().
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/mach_process.c#2 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/vm_unix.c#3 edit
.. //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#15 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/kern/mach_process.c#2 (text+ko) ====
@@ -417,5 +417,13 @@
*errp = EBUSY;
return (0);
}
+
+#ifdef MAC
+ my_err = mac_proc_check_debug(creds, traced_procp);
+ if (my_err) {
+ *errp = my_err;
+ return (0);
+ }
+#endif
return(1);
}
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/bsd/vm/vm_unix.c#3 (text+ko) ====
@@ -405,6 +405,11 @@
)
&& (p->p_stat != SZOMB)
) {
+#ifdef MAC
+ error = mac_proc_check_debug(kauth_cred_get(), p);
+ if (error)
+ goto noperm;
+#endif
if (p->task != TASK_NULL) {
task_reference(p->task);
sright = (void *)convert_task_to_port(p->task);
@@ -419,6 +424,7 @@
error = KERN_SUCCESS;
goto tfpout;
}
+noperm:
task_deallocate(t1);
tret = MACH_PORT_NULL;
(void) copyout((char *) &tret, task_addr, sizeof(mach_port_name_t));
==== //depot/projects/trustedbsd/sedarwin8/darwin/xnu/security/mac_policy.h#15 (text+ko) ====
@@ -3513,8 +3513,7 @@
Determine whether the subject identified by the credential can debug
the passed process. This call may be made in a number of situations,
- including use of the ptrace(2) and ktrace(2) APIs, as well as for some
- types of procfs operations.
+ including use of the ptrace(2), ktrace(2) and task_for_pid(2) APIs.
@return Return 0 if access is granted, otherwise an appropriate value for
errno should be returned. Suggested failure: EACCES for label mismatch,
More information about the trustedbsd-cvs
mailing list