My mentor Darren Moffat suggested that I should ask for reviewers to look over the changes I made to introduce the new basic privileges restricting file access, introduced appropriate secpolicy_vnode_* functions in policy.c and ported UFS and TMPFS to use these functions.
My webrev is located at: http://myhpi.de/~nicolai/webrev/ To get an overview about the new basic privileges and its semantics, I posted the changes to priv_defs in this mail: ---------- basic privilege PRIV_FILE_NANON_READ Without having set PRIV_FILE_NANON_READ, a process is only able to perform read operations on globally readable files or directories because it can only act like an 'anonymous process' and cannot benefit from its euid, egid or group memberships. Additional rights gained through PRIV_FILE_DAC_READ will not be restricted if PRIV_FILE_NANON_READ is not set. basic privilege PRIV_FILE_NANON_WRITE Without having set PRIV_FILE_NANON_WRITE, a process is only able to perform write operations on globally writable files or directories because it can only act like an 'anonymous process' and cannot benefit from its euid, egid or group memberships. Additional rights gained through PRIV_FILE_DAC_WRITE will not be restricted if PRIV_FILE_NANON_WRITE is not set. basic privilege PRIV_FILE_NANON_EXECUTE Without having set PRIV_FILE_NANON_EXECUTE, a process is only able to perform execute operations on globally executable files because it can only act like an 'anonymous process' and cannot benefit from its euid, egid or group memberships. Additional rights gained through PRIV_FILE_DAC_EXECUTE will not be restricted if PRIV_FILE_NANON_EXECUTE is not set. basic privilege PRIV_FILE_NANON_SEARCH Without having set PRIV_FILE_NANON_SEARCH, a process is only able to perform search operations on globally searchable directories because it can only act like an 'anonymous process' and cannot benefit from its euid, egid or associated groups. Additional rights gained through PRIV_FILE_DAC_SEARCH will not be restricted if PRIV_FILE_NANON_EXECUTE is not set. basic privilege PRIV_FILE_NANON_OWNER PRIV_FILE_NANON_OWNER allows a process to perform operations on a file, directory or link that require ownership. PRIV_FILE_OWNER may always substitute PRIV_FILE_NANON_OWNER. Without having set at least one of both privileges, a process is considered to be 'anonymous' and cannot benefit from its euid. Affected operations are e. g. changing permission bits/acls, changing access and modification times, changing the gid of an owned file or directory when a process is member of this group, creating hardlinks to files owned by a UID equal to the process's effective UID, renaming or moving in a directory with the sticky bit, mounting a file system on a mount point owned by a UID equal to the process's effective UID and creating of a new file, directory or symbolic link. To change permission bits/acls of an owned file PRIV_FILE_NANON_READ or PRIV_FILE_DAC_READ, PRIV_FILE_NANON_WRITE or PRIV_FILE_DAC_WRITE and PRIV_FILE_ANON_EXECUTE or PRIF_FILE_DAC_EXECUTE have to be set as well. To change permission bits/acls of an owned directory PRIV_FILE_NANON_READ or PRIV_FILE_DAC_READ, PRIV_FILE_NANON_WRITE or PRIV_FILE_DAC_WRITE and PRIV_FILE_ANON_SEARCH or PRIV_FILE_DAC_SEARCH have to be set as well. To change the gid of an owned file or directory when a process is member of this group, at least one of PRIV_FILE_NANON_OWNER, PRIV_FILE_OWNER, PRIV_FILE_CHOWN or PRIV_FILE_CHOWN_SELF has to be set. So privilege escalation due to permission changes are not possible. If a new file should be created PRIV_FILE_NANON_READ or PRIV_FILE_DAC_READ, PRIV_FILE_NANON_WRITE or PRIV_FILE_DAC_WRITE and PRIV_FILE_ANON_EXECUTE or PRIF_FILE_DAC_EXECUTE have to be set as well. If a directory should be created PRIV_FILE_NANON_READ or PRIV_FILE_DAC_READ, PRIV_FILE_NANON_WRITE or PRIV_FILE_DAC_WRITE and PRIV_FILE_ANON_SEARCH or PRIF_FILE_DAC_SEARCH have to be set as well. So a process that was able to create a file or directory is always able to reopen or enter it later as long no privileges are removed from its effective set. Additional rights gained through PRIV_FILE_OWNER will not be restricted if PRIV_FILE_NANON_OWNER is not set. basic privilege PRIV_FILE_GEN_READ Without having set PRIV_FILE_GEN_READ, file or directory operations that require read permissions will generally not be granted unless the PRIV_FILE_DAC_READ or PRIV_FILE_NANON_READ privilege is set. Additional rights gained through PRIV_FILE_DAC_READ or PRIV_FILE_NANON_READ will not be restricted if PRIV_FILE_GEN_READ is not set. basic privilege PRIV_FILE_GEN_WRITE Without having set PRIV_FILE_GEN_WRITE, file or directory operations that require write permissions will not be granted unless the PRIV_FILE_DAC_WRITE or PRIV_FILE_NANON_WRITE privilege is set. Additional rights gained through PRIV_FILE_DAC_WRITE or PRIV_FILE_NANON_WRITE will not be restricted if PRIV_FILE_GEN_WRITE is not set. basic privilege PRIV_FILE_GEN_EXECUTE Without having set PRIV_FILE_GEN_EXECUTE, file operations that require execute permissions will not be granted unless the PRIV_FILE_DAC_EXECUTE or PRIV_FILE_NANON_EXECUTE privilege is set. Additional rights gained through PRIV_FILE_DAC_EXECUTE or PRIV_FILE_NANON_EXECUTE will not be restricted if PRIV_FILE_GEN_EXECUTE is not set. basic privilege PRIV_FILE_GEN_SEARCH Without having set PRIV_FILE_GEN_SEARCH, directory operations that require search permissions will not be granted unless the PRIV_FILE_DAC_SEARCH or PRIV_FILE_NANON_SEARCH privilege is set. Additional rights gained through PRIV_FILE_DAC_SEARCH or PRIV_FILE_NANON_SEARCH will not be restricted if PRIV_FILE_GEN_SEARCH is not set. ---------- Thank you very much for any comment. Johannes Nicolai Open Solaris Google Summer of Code Student _______________________________________________ ufs-discuss mailing list [email protected]
