mac_do(4): added traditional syscalls support to mac_do(4) #5
Conversation
Signed-off-by: Kushagra Srivastava <kushagra1403@gmail.com>
OlCe2
left a comment
OlCe2
left a comment
There was a problem hiding this comment.
This overall looks fine. Please see inline comments.
sys/security/mac_do/mac_do.c
Outdated
| } | ||
| else | ||
| } else { | ||
| break; | ||
| } |
There was a problem hiding this comment.
Gratuitous style change (please revert).
sys/security/mac_do/mac_do.c
Outdated
| } | ||
| else | ||
| } else { | ||
| break; | ||
| } |
There was a problem hiding this comment.
Gratuitous style change (please revert).
| } | ||
| } | ||
|
|
||
| /* 'gid' wasn't explicitly accepted. */ |
sys/security/mac_do/mac_do.c
Outdated
| const int supp_ngroups = old_cred->cr_ngroups; | ||
| const gid_t *supp_groups = (supp_ngroups > 0) ? &new_cred->cr_groups[1] : NULL; | ||
|
|
||
| return (rule_grant_setgroups(rule, old_cred, supp_ngroups, supp_groups)); |
There was a problem hiding this comment.
| const int supp_ngroups = old_cred->cr_ngroups; | |
| const gid_t *supp_groups = (supp_ngroups > 0) ? &new_cred->cr_groups[1] : NULL; | |
| return (rule_grant_setgroups(rule, old_cred, supp_ngroups, supp_groups)); | |
| return (rule_grant_setgroups(rule, old_cred, old_cred->cr_ngroups, new_cred->cr_groups)); |
After recent changes in -CURRENT, cr_groups now only holds supplementary groups (and not the effective GID).
sys/security/mac_do/mac_do.c
Outdated
| (gid_flags & MDF_SUPP_MASK) != 0; | ||
| id_nb_t rule_idx = 0; | ||
| int old_idx = 1, new_idx = 1; | ||
| int old_idx = 1, new_idx = 0; |
There was a problem hiding this comment.
Should be:
| int old_idx = 1, new_idx = 0; | |
| int old_idx = 0, new_idx = 0; |
after recent changes in -CURRENT. Will fix that in a separate commit (tomorrow probably).
sys/security/mac_do/mac_do.c
Outdated
| /* Bail out fast if we aren't concerned. */ | ||
| if (priv != PRIV_CRED_SETCRED) | ||
| return (EPERM); | ||
| switch (priv) { |
There was a problem hiding this comment.
For all sub-blocks of this switch, please move the code in separate functions (e.g., priv_grant_setcred(), priv_grant_user(), priv_grant_group(), etc.).
This will remove indentation and separate the different recipes. Declarations in a switch are valid in all the switch block, so you had to add a pair of braces around each block. With this change, they won't be necessary.
Signed-off-by: Kushagra Srivastava <kushagra1403@gmail.com>
2 participants
Added support for setuid(2), seteuid(2), setreuid(2), setresuid(2), setgid(2), setegid(2), setregid(2), setresgid(2), setgroups(2) in MAC/do