diff options
| author | Konstantin Belousov <kib@FreeBSD.org> | 2021-01-14 13:51:52 +0000 |
|---|---|---|
| committer | Konstantin Belousov <kib@FreeBSD.org> | 2021-06-13 01:22:33 +0000 |
| commit | dc107fe1f939c7d4c5575868202b4cd3edf3e846 (patch) | |
| tree | 9496e279dd93abdd4e0856b58039c2e9450149d3 | |
| parent | ff59c9de3274134e3e517a7faf7b5fbedfc0bb7f (diff) | |
| download | src-dc107fe1f939c7d4c5575868202b4cd3edf3e846.tar.gz src-dc107fe1f939c7d4c5575868202b4cd3edf3e846.zip | |
linuxolator: Add compat.linux.setid_allowed knob
PR: 21463
(cherry picked from commit 598f6fb49c9ca688029b79de0a44227ab79c608c)
| -rw-r--r-- | share/man/man4/linux.4 | 14 | ||||
| -rw-r--r-- | sys/amd64/linux/linux_sysvec.c | 1 | ||||
| -rw-r--r-- | sys/amd64/linux32/linux32_sysvec.c | 1 | ||||
| -rw-r--r-- | sys/arm64/linux/linux_sysvec.c | 1 | ||||
| -rw-r--r-- | sys/compat/linux/linux_mib.c | 12 | ||||
| -rw-r--r-- | sys/compat/linux/linux_mib.h | 3 | ||||
| -rw-r--r-- | sys/i386/linux/linux_sysvec.c | 2 |
7 files changed, 33 insertions, 1 deletions
diff --git a/share/man/man4/linux.4 b/share/man/man4/linux.4 index 23bc0c26f7f9..b2d36158c622 100644 --- a/share/man/man4/linux.4 +++ b/share/man/man4/linux.4 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 5, 2020 +.Dd May 6, 2021 .Dt LINUX 4 .Os .Sh NAME @@ -130,6 +130,18 @@ From a user perspective, this makes .Va SIGINFO work for Linux executables. Defaults to 0. +.It Va compat.linux.setid_allowed +Disable handling of set-user-ID and set-group-ID mode bits for the new +process image file when image is to be executed under Linux ABI. +When set, new Linux images always use credentials of the program +that issued +.Xr execve 2 +call, regardless of the image file mode. +.Pp +This might be reasonable or even required, because +.Fx +does not emulate Linux environment completely, and missed features +could become holes. .El .Sh FILES .Bl -tag -width /compat/linux/dev/shm -compact diff --git a/sys/amd64/linux/linux_sysvec.c b/sys/amd64/linux/linux_sysvec.c index 252579a4809e..3766cea5e699 100644 --- a/sys/amd64/linux/linux_sysvec.c +++ b/sys/amd64/linux/linux_sysvec.c @@ -763,6 +763,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/amd64/linux32/linux32_sysvec.c b/sys/amd64/linux32/linux32_sysvec.c index 3790d0fcb69c..2fd246086810 100644 --- a/sys/amd64/linux32/linux32_sysvec.c +++ b/sys/amd64/linux32/linux32_sysvec.c @@ -930,6 +930,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/arm64/linux/linux_sysvec.c b/sys/arm64/linux/linux_sysvec.c index e20e0fd32b91..7c88b0d9f2ea 100644 --- a/sys/arm64/linux/linux_sysvec.c +++ b/sys/arm64/linux/linux_sysvec.c @@ -441,6 +441,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void diff --git a/sys/compat/linux/linux_mib.c b/sys/compat/linux/linux_mib.c index cc4207f74a39..3a6627df9abd 100644 --- a/sys/compat/linux/linux_mib.c +++ b/sys/compat/linux/linux_mib.c @@ -99,6 +99,18 @@ int linux_use_emul_path = 1; SYSCTL_INT(_compat_linux, OID_AUTO, use_emul_path, CTLFLAG_RWTUN, &linux_use_emul_path, 0, "Use linux.compat.emul_path"); +static bool linux_setid_allowed = true; +SYSCTL_BOOL(_compat_linux, OID_AUTO, setid_allowed, CTLFLAG_RWTUN, + &linux_setid_allowed, 0, + "Allow setuid/setgid on execve of Linux binary"); + +bool +linux_setid_allowed_query(struct thread *td __unused, + struct image_params *imgp __unused) +{ + return (linux_setid_allowed); +} + static int linux_set_osname(struct thread *td, char *osname); static int linux_set_osrelease(struct thread *td, char *osrelease); static int linux_set_oss_version(struct thread *td, int oss_version); diff --git a/sys/compat/linux/linux_mib.h b/sys/compat/linux/linux_mib.h index 0a1baec39826..49da02da44df 100644 --- a/sys/compat/linux/linux_mib.h +++ b/sys/compat/linux/linux_mib.h @@ -70,4 +70,7 @@ extern int linux_ignore_ip_recverr; extern int linux_preserve_vstatus; extern bool linux_map_sched_prio; +struct image_params; +bool linux_setid_allowed_query(struct thread *td, struct image_params *imgp); + #endif /* _LINUX_MIB_H_ */ diff --git a/sys/i386/linux/linux_sysvec.c b/sys/i386/linux/linux_sysvec.c index ef845675aaa4..1c92dafa7dcc 100644 --- a/sys/i386/linux/linux_sysvec.c +++ b/sys/i386/linux/linux_sysvec.c @@ -871,6 +871,7 @@ struct sysentvec linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; INIT_SYSENTVEC(aout_sysvec, &linux_sysvec); @@ -908,6 +909,7 @@ struct sysentvec elf_linux_sysvec = { .sv_onexec = linux_on_exec, .sv_onexit = linux_on_exit, .sv_ontdexit = linux_thread_dtor, + .sv_setid_allowed = &linux_setid_allowed_query, }; static void |