[PATCH] Move various sysctls to node security

Matthias Schmidt Fri, 30 Sep 2005 05:20:23 -0700

Hi,

I moved the following sysctl's to a new parent node named security:


- kern.ps_showallprocs
- kern.ps_showallthreads
- kern.unprivileged_read_msgbuf
- kern.hardlink_check_uid
- kern.hardlink_check_gid

I think security is more intuitive than kern :)

Discussed with: joerg@ on IRC


        Matthias

diff -urN sys.orig/kern/kern_mib.c sys/kern/kern_mib.c
--- sys.orig/kern/kern_mib.c    2005-09-30 11:12:54.000000000 +0200
+++ sys/kern/kern_mib.c 2005-09-30 13:25:52.000000000 +0200
@@ -74,6 +74,8 @@
        "p1003_1b, (see p1003_1b.h)");
 SYSCTL_NODE(, CTL_LWKT,  lwkt,   CTLFLAG_RW, 0,
        "light weight kernel threads");
+SYSCTL_NODE(, OID_AUTO,  security,   CTLFLAG_RW, 0,
+       "Security");
 
 SYSCTL_NODE(, OID_AUTO,  compat, CTLFLAG_RW, 0,
        "Compatibility code");
diff -urN sys.orig/kern/kern_proc.c sys/kern/kern_proc.c
--- sys.orig/kern/kern_proc.c   2005-09-30 11:12:54.000000000 +0200
+++ sys/kern/kern_proc.c        2005-09-30 13:43:13.000000000 +0200
@@ -58,12 +58,15 @@
 static MALLOC_DEFINE(M_PROC, "proc", "Proc structures");
 MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures");
 
+SYSCTL_DECL(_security);
 int ps_showallprocs = 1;
 static int ps_showallthreads = 1;
-SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW,
-    &ps_showallprocs, 0, "");
-SYSCTL_INT(_kern, OID_AUTO, ps_showallthreads, CTLFLAG_RW,
-    &ps_showallthreads, 0, "");
+SYSCTL_INT(_security, OID_AUTO, ps_showallprocs, CTLFLAG_RW,
+    &ps_showallprocs, 0,
+    "Unprivileged processes can see proccesses with different UID/GID");
+SYSCTL_INT(_security, OID_AUTO, ps_showallthreads, CTLFLAG_RW,
+    &ps_showallthreads, 0,
+    "Unprivileged processes can see kernel threads");
 
 static void pgdelete   (struct pgrp *);
 
diff -urN sys.orig/kern/subr_prf.c sys/kern/subr_prf.c
--- sys.orig/kern/subr_prf.c    2005-09-30 11:12:56.000000000 +0200
+++ sys/kern/subr_prf.c 2005-09-30 13:43:28.000000000 +0200
@@ -100,8 +100,9 @@
 SYSCTL_INT(_kern, OID_AUTO, log_console_output, CTLFLAG_RW,
     &log_console_output, 0, "");
 
+SYSCTL_DECL(_security);
 static int unprivileged_read_msgbuf = 1;
-SYSCTL_INT(_kern, OID_AUTO, unprivileged_read_msgbuf, CTLFLAG_RW,
+SYSCTL_INT(_security, OID_AUTO, unprivileged_read_msgbuf, CTLFLAG_RW,
     &unprivileged_read_msgbuf, 0,
     "Unprivileged processes may read the kernel message buffer");
 
diff -urN sys.orig/kern/vfs_syscalls.c sys/kern/vfs_syscalls.c
--- sys.orig/kern/vfs_syscalls.c        2005-09-30 11:12:57.000000000 +0200
+++ sys/kern/vfs_syscalls.c     2005-09-30 13:43:41.000000000 +0200
@@ -1569,13 +1569,14 @@
        return (error);
 }
 
+SYSCTL_DECL(_security);
 static int hardlink_check_uid = 0;
-SYSCTL_INT(_kern, OID_AUTO, hardlink_check_uid, CTLFLAG_RW,
+SYSCTL_INT(_security, OID_AUTO, hardlink_check_uid, CTLFLAG_RW,
     &hardlink_check_uid, 0, 
     "Unprivileged processes cannot create hard links to files owned by other "
     "users");
 static int hardlink_check_gid = 0;
-SYSCTL_INT(_kern, OID_AUTO, hardlink_check_gid, CTLFLAG_RW,
+SYSCTL_INT(_security, OID_AUTO, hardlink_check_gid, CTLFLAG_RW,
     &hardlink_check_gid, 0,
     "Unprivileged processes cannot create hard links to files owned by other "
     "groups");

[PATCH] Move various sysctls to node security

Reply via email to