diff options
| author | Olivier Certner <olce@FreeBSD.org> | 2024-08-02 15:57:51 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2025-01-17 12:24:53 +0000 |
| commit | f872814e2d7a8841411569fc707b028463c7656b (patch) | |
| tree | 3bd855e21131d0cccd90d14b9a9d9028efe7dd20 /sys/fs | |
| parent | 5c09fafd8398181a149c0457d56c5b7c2518b370 (diff) | |
cred: proc_set_cred(), proc_unset_cred(): Update user's process count
As a process really changes credentials at the moment proc_set_cred() or
proc_unset_cred() is called, these functions are the proper locations to
perform the update of the new and old real users' process count (using
chgproccnt()).
Before this change, change_ruid() instead would perform that update,
although it operates only on a passed credential which is a priori not
tied to the calling process (or not to any process at all). This was
arguably a flaw of commit b1fc0ec1a7a49ded, r77183, based on its commit
message, and in particular the portion "(...) In each case, the call now
acts on a credential not a process (...)".
Fixing this makes using change_ruid() more natural when building
candidate credentials that in the end are not applied to a process,
e.g., because of some intervening privilege check. Also, it removes
a hack around this unwanted process count change in unionfs.
We also introduce the new proc_set_cred_enforce_proc_lim() so that
callers can respect the per-user process limit, and will use it for the
upcoming setcred(). We plan to change all callers of proc_set_cred() to
call this new function instead at some point. In the meantime, both
proc_set_cred() and the new function will coexist.
As detailed in some proc_set_cred_enforce_proc_lim()'s comment, checking
against the process limit is currently flawed as the kernel doesn't
really maintain the number of processes per UID (besides RLIMIT_NPROC,
this in fact also applies to RLIMIT_KQUEUES, RLIMIT_NPTS, RLIMIT_SBSIZE
and RLIMIT_SWAP). The applied limit is currently that of the old real
UID. Root (or a process granted with PRIV_PROC_LIMIT) is not subject to
this limit.
Approved by: markj (mentor)
Fixes: b1fc0ec1a7a49ded
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46923
(cherry picked from commit d2be7ed63affd8af5fe6203002b7cc3cbe7f7891)
Additional changes for this MFC:
1. <sys/types.h> was added as an include in <sys/ucred.h>, as some of
its types are necessary whether the header is included by the kernel
or userland. Some later -CURRENT commits added it, but are not
planned to be MFCed (mac_do(4) series, which doesn't exist in
stable/13).
2. A number of files in 'lib/libprocstat' that include (indirectly)
<sys/ucred.h> with _KERNEL defined were patched to include
<stdbool.h> beforehand, so that 'bool', which is part of the new
signature for proc_set_cred*(), is defined when <sys/ucred.h> is
processed (<sys/types.h> does not define it when _KERNEL is defined).
Diffstat (limited to 'sys/fs')
| -rw-r--r-- | sys/fs/unionfs/union_subr.c | 6 |
1 files changed, 0 insertions, 6 deletions
diff --git a/sys/fs/unionfs/union_subr.c b/sys/fs/unionfs/union_subr.c index 22c8ffe88bde..56c16fc9ed6e 100644 --- a/sys/fs/unionfs/union_subr.c +++ b/sys/fs/unionfs/union_subr.c @@ -775,11 +775,6 @@ unionfs_mkshadowdir(struct unionfs_mount *ump, struct vnode *udvp, /* Authority change to root */ rootinfo = uifind((uid_t)0); cred = crdup(cnp->cn_cred); - /* - * The calls to chgproccnt() are needed to compensate for change_ruid() - * calling chgproccnt(). - */ - chgproccnt(cred->cr_ruidinfo, 1, 0); change_euid(cred, rootinfo); change_ruid(cred, rootinfo); change_svuid(cred, (uid_t)0); @@ -831,7 +826,6 @@ unionfs_mkshadowdir_free_out: unionfs_mkshadowdir_abort: cnp->cn_cred = credbk; - chgproccnt(cred->cr_ruidinfo, -1, 0); crfree(cred); return (error); |