cred: Hide internal flag CRED_FLAG_CAPMODE
This flag is used in field 'cr_flags', which is never directly visible outside the kernel. That field is however exported through 'struct kinfo_proc' objects (field 'ki_cr_flags'), either from the kernel via sysctls or from libkvm, and is supposed to contain exported flags prefixed with KI_CRF_ (currently, KI_CRF_CAPABILITY_MODE and KI_CRF_GRP_OVERFLOW, this second one being a purely userland one signaling overflow of 'ki_groups'). Make sure that KI_CRF_CAPABILITY_MODE is the flag actually exported and tested by userland programs, and hide the internal CRED_FLAG_CAPMODE. As both flags are currently defined to the same value, this doesn't change the KBI, but of course does change the KPI. A code search via GitHub and Google fortunately doesn't reveal any outside uses for CRED_FLAG_CAPMODE. While here, move assignment of 'ki_uid' to a more logical place in kvm_proclist(), and definition of XU_NGROUPS as well in 'sys/ucred.h' (no functional/interface changes intended). Reviewed by: mhorne Approved by: markj (mentor) MFC after: 2 weeks Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46909
This commit is contained in:
+1
-1
@@ -265,7 +265,7 @@ state(KINFO *k, VARENT *ve __unused)
|
|||||||
*cp++ = 'V';
|
*cp++ = 'V';
|
||||||
if ((flag & P_SYSTEM) || k->ki_p->ki_lock > 0)
|
if ((flag & P_SYSTEM) || k->ki_p->ki_lock > 0)
|
||||||
*cp++ = 'L';
|
*cp++ = 'L';
|
||||||
if ((k->ki_p->ki_cr_flags & CRED_FLAG_CAPMODE) != 0)
|
if ((k->ki_p->ki_cr_flags & KI_CRF_CAPABILITY_MODE) != 0)
|
||||||
*cp++ = 'C';
|
*cp++ = 'C';
|
||||||
if (k->ki_p->ki_kiflag & KI_SLEADER)
|
if (k->ki_p->ki_kiflag & KI_SLEADER)
|
||||||
*cp++ = 's';
|
*cp++ = 's';
|
||||||
|
|||||||
@@ -142,11 +142,14 @@ kvm_proclist(kvm_t *kd, int what, int arg, struct proc *p,
|
|||||||
if (proc.p_state == PRS_NEW)
|
if (proc.p_state == PRS_NEW)
|
||||||
continue;
|
continue;
|
||||||
if (KREAD(kd, (u_long)proc.p_ucred, &ucred) == 0) {
|
if (KREAD(kd, (u_long)proc.p_ucred, &ucred) == 0) {
|
||||||
|
kp->ki_uid = ucred.cr_uid;
|
||||||
kp->ki_ruid = ucred.cr_ruid;
|
kp->ki_ruid = ucred.cr_ruid;
|
||||||
kp->ki_svuid = ucred.cr_svuid;
|
kp->ki_svuid = ucred.cr_svuid;
|
||||||
kp->ki_rgid = ucred.cr_rgid;
|
kp->ki_rgid = ucred.cr_rgid;
|
||||||
kp->ki_svgid = ucred.cr_svgid;
|
kp->ki_svgid = ucred.cr_svgid;
|
||||||
kp->ki_cr_flags = ucred.cr_flags;
|
kp->ki_cr_flags = 0;
|
||||||
|
if (ucred.cr_flags & CRED_FLAG_CAPMODE)
|
||||||
|
kp->ki_cr_flags |= KI_CRF_CAPABILITY_MODE;
|
||||||
if (ucred.cr_ngroups > KI_NGROUPS) {
|
if (ucred.cr_ngroups > KI_NGROUPS) {
|
||||||
kp->ki_ngroups = KI_NGROUPS;
|
kp->ki_ngroups = KI_NGROUPS;
|
||||||
kp->ki_cr_flags |= KI_CRF_GRP_OVERFLOW;
|
kp->ki_cr_flags |= KI_CRF_GRP_OVERFLOW;
|
||||||
@@ -154,7 +157,6 @@ kvm_proclist(kvm_t *kd, int what, int arg, struct proc *p,
|
|||||||
kp->ki_ngroups = ucred.cr_ngroups;
|
kp->ki_ngroups = ucred.cr_ngroups;
|
||||||
kvm_read(kd, (u_long)ucred.cr_groups, kp->ki_groups,
|
kvm_read(kd, (u_long)ucred.cr_groups, kp->ki_groups,
|
||||||
kp->ki_ngroups * sizeof(gid_t));
|
kp->ki_ngroups * sizeof(gid_t));
|
||||||
kp->ki_uid = ucred.cr_uid;
|
|
||||||
if (ucred.cr_prison != NULL) {
|
if (ucred.cr_prison != NULL) {
|
||||||
if (KREAD(kd, (u_long)ucred.cr_prison, &pr)) {
|
if (KREAD(kd, (u_long)ucred.cr_prison, &pr)) {
|
||||||
_kvm_err(kd, kd->program,
|
_kvm_err(kd, kd->program,
|
||||||
|
|||||||
+6
-6
@@ -38,11 +38,14 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <bsm/audit.h>
|
#include <bsm/audit.h>
|
||||||
|
|
||||||
|
#if defined(_KERNEL) || defined(_WANT_UCRED)
|
||||||
struct loginclass;
|
struct loginclass;
|
||||||
|
|
||||||
#define XU_NGROUPS 16
|
/*
|
||||||
|
* Flags for cr_flags.
|
||||||
|
*/
|
||||||
|
#define CRED_FLAG_CAPMODE 0x00000001 /* In capability mode. */
|
||||||
|
|
||||||
#if defined(_KERNEL) || defined(_WANT_UCRED)
|
|
||||||
/*
|
/*
|
||||||
* Number of groups inlined in 'struct ucred'. It must stay reasonably low as
|
* Number of groups inlined in 'struct ucred'. It must stay reasonably low as
|
||||||
* it is also used by some functions to allocate an array of this size on the
|
* it is also used by some functions to allocate an array of this size on the
|
||||||
@@ -96,10 +99,7 @@ struct ucred {
|
|||||||
#define FSCRED ((struct ucred *)-1) /* filesystem credential */
|
#define FSCRED ((struct ucred *)-1) /* filesystem credential */
|
||||||
#endif /* _KERNEL || _WANT_UCRED */
|
#endif /* _KERNEL || _WANT_UCRED */
|
||||||
|
|
||||||
/*
|
#define XU_NGROUPS 16
|
||||||
* Flags for cr_flags.
|
|
||||||
*/
|
|
||||||
#define CRED_FLAG_CAPMODE 0x00000001 /* In capability mode. */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This is the external representation of struct ucred.
|
* This is the external representation of struct ucred.
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ procstat_cred(struct procstat *procstat, struct kinfo_proc *kipp)
|
|||||||
xo_emit("{:rgid/%5d} ", kipp->ki_rgid);
|
xo_emit("{:rgid/%5d} ", kipp->ki_rgid);
|
||||||
xo_emit("{:svgid/%5d} ", kipp->ki_svgid);
|
xo_emit("{:svgid/%5d} ", kipp->ki_svgid);
|
||||||
xo_emit("{:umask/%5s} ", get_umask(procstat, kipp));
|
xo_emit("{:umask/%5s} ", get_umask(procstat, kipp));
|
||||||
xo_emit("{:cr_flags/%s}", kipp->ki_cr_flags & CRED_FLAG_CAPMODE ?
|
xo_emit("{:cr_flags/%s}", kipp->ki_cr_flags & KI_CRF_CAPABILITY_MODE ?
|
||||||
"C" : "-");
|
"C" : "-");
|
||||||
xo_emit("{P: }");
|
xo_emit("{P: }");
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user