diff options
| author | Greg Steuck <gnezdo@cvs.openbsd.org> | 2022-01-25 04:04:42 +0000 |
|---|---|---|
| committer | Greg Steuck <gnezdo@cvs.openbsd.org> | 2022-01-25 04:04:42 +0000 |
| commit | c06ea86d3e9b1473fa4399cf3e4a6d797e641e21 (patch) | |
| tree | 1c06afb7bb6adbe3839d789872f4d70a36a09d62 | |
| parent | 37f5b35710e48314d1b0f73843edddd08030977b (diff) | |
Capture a repeated pattern into sysctl_securelevel_int function
A few variables in the kernel are only writeable before securelevel is
raised. It makes sense to handle them with less code.
OK sthen@ bluhm@
| -rw-r--r-- | sys/arch/amd64/amd64/machdep.c | 10 | ||||
| -rw-r--r-- | sys/arch/i386/i386/machdep.c | 10 | ||||
| -rw-r--r-- | sys/kern/kern_sysctl.c | 35 | ||||
| -rw-r--r-- | sys/kern/vfs_subr.c | 7 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 9 | ||||
| -rw-r--r-- | sys/sys/sysctl.h | 3 |
6 files changed, 33 insertions, 41 deletions
diff --git a/sys/arch/amd64/amd64/machdep.c b/sys/arch/amd64/amd64/machdep.c index 326f1c10253..08a20bf76ed 100644 --- a/sys/arch/amd64/amd64/machdep.c +++ b/sys/arch/amd64/amd64/machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: machdep.c,v 1.275 2021/10/06 15:46:03 claudio Exp $ */ +/* $OpenBSD: machdep.c,v 1.276 2022/01/25 04:04:40 gnezdo Exp $ */ /* $NetBSD: machdep.c,v 1.3 2003/05/07 22:58:18 fvdl Exp $ */ /*- @@ -513,12 +513,8 @@ cpu_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, case CPU_CPUVENDOR: return (sysctl_rdstring(oldp, oldlenp, newp, cpu_vendor)); case CPU_KBDRESET: - if (securelevel > 0) - return (sysctl_rdint(oldp, oldlenp, newp, - kbd_reset)); - else - return (sysctl_int(oldp, oldlenp, newp, newlen, - &kbd_reset)); + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &kbd_reset)); case CPU_ALLOWAPERTURE: if (namelen != 1) return (ENOTDIR); /* overloaded */ diff --git a/sys/arch/i386/i386/machdep.c b/sys/arch/i386/i386/machdep.c index 0d32cd4edd7..cbc55378966 100644 --- a/sys/arch/i386/i386/machdep.c +++ b/sys/arch/i386/i386/machdep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: machdep.c,v 1.646 2021/10/06 15:46:03 claudio Exp $ */ +/* $OpenBSD: machdep.c,v 1.647 2022/01/25 04:04:40 gnezdo Exp $ */ /* $NetBSD: machdep.c,v 1.214 1996/11/10 03:16:17 thorpej Exp $ */ /*- @@ -3617,12 +3617,8 @@ cpu_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, case CPU_CPUFEATURE: return (sysctl_rdint(oldp, oldlenp, newp, curcpu()->ci_feature_flags)); case CPU_KBDRESET: - if (securelevel > 0) - return (sysctl_rdint(oldp, oldlenp, newp, - kbd_reset)); - else - return (sysctl_int(oldp, oldlenp, newp, newlen, - &kbd_reset)); + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &kbd_reset)); #if NPCKBC > 0 && NUKBD > 0 case CPU_FORCEUKBD: { diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index e71cdf5897d..6caeb627196 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_sysctl.c,v 1.398 2021/12/23 10:17:01 bluhm Exp $ */ +/* $OpenBSD: kern_sysctl.c,v 1.399 2022/01/25 04:04:40 gnezdo Exp $ */ /* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */ /*- @@ -473,14 +473,12 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, return (0); #if NDT > 0 case KERN_ALLOWDT: - if (securelevel > 0) - return (sysctl_rdint(oldp, oldlenp, newp, allowdt)); - return (sysctl_int(oldp, oldlenp, newp, newlen, &allowdt)); + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &allowdt)); #endif case KERN_ALLOWKMEM: - if (securelevel > 0) - return (sysctl_rdint(oldp, oldlenp, newp, allowkmem)); - return (sysctl_int(oldp, oldlenp, newp, newlen, &allowkmem)); + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &allowkmem)); case KERN_HOSTNAME: error = sysctl_tstring(oldp, oldlenp, newp, newlen, hostname, sizeof(hostname)); @@ -757,10 +755,7 @@ hw_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, return (sysctl_rdquad(oldp, oldlenp, newp, ptoa((psize_t)physmem - uvmexp.wired))); case HW_ALLOWPOWERDOWN: - if (securelevel > 0) - return (sysctl_rdint(oldp, oldlenp, newp, - allowpowerdown)); - return (sysctl_int(oldp, oldlenp, newp, newlen, + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, &allowpowerdown)); #ifdef __HAVE_CPU_TOPOLOGY case HW_SMT: @@ -876,6 +871,18 @@ sysctl_rdint(void *oldp, size_t *oldlenp, void *newp, int val) } /* + * Selects between sysctl_rdint and sysctl_int according to securelevel. + */ +int +sysctl_securelevel_int(void *oldp, size_t *oldlenp, void *newp, size_t newlen, + int *valp) +{ + if (securelevel > 0) + return (sysctl_rdint(oldp, oldlenp, newp, *valp)); + return (sysctl_int(oldp, oldlenp, newp, newlen, valp)); +} + +/* * Read-only or bounded integer values. */ int @@ -2501,11 +2508,9 @@ sysctl_utc_offset(void *oldp, size_t *oldlenp, void *newp, size_t newlen) int adjustment_seconds, error, new_offset_minutes, old_offset_minutes; old_offset_minutes = utc_offset / 60; /* seconds -> minutes */ - if (securelevel > 0) - return sysctl_rdint(oldp, oldlenp, newp, old_offset_minutes); - new_offset_minutes = old_offset_minutes; - error = sysctl_int(oldp, oldlenp, newp, newlen, &new_offset_minutes); + error = sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &new_offset_minutes); if (error) return error; if (new_offset_minutes < -24 * 60 || new_offset_minutes > 24 * 60) diff --git a/sys/kern/vfs_subr.c b/sys/kern/vfs_subr.c index 43a7cbd4ae9..069a65d51e0 100644 --- a/sys/kern/vfs_subr.c +++ b/sys/kern/vfs_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vfs_subr.c,v 1.313 2021/10/25 10:24:54 claudio Exp $ */ +/* $OpenBSD: vfs_subr.c,v 1.314 2022/01/25 04:04:40 gnezdo Exp $ */ /* $NetBSD: vfs_subr.c,v 1.53 1996/04/22 01:39:13 christos Exp $ */ /* @@ -1845,9 +1845,8 @@ fs_posix_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, switch (name[0]) { case FS_POSIX_SETUID: - if (newp && securelevel > 0) - return (EPERM); - return(sysctl_int(oldp, oldlenp, newp, newlen, &suid_clear)); + return (sysctl_securelevel_int(oldp, oldlenp, newp, newlen, + &suid_clear)); default: return (EOPNOTSUPP); } diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 9e7e20af30b..e9042d8e093 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.364 2021/11/22 13:47:10 bluhm Exp $ */ +/* $OpenBSD: ip_input.c,v 1.365 2022/01/25 04:04:40 gnezdo Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -1610,13 +1610,8 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, switch (name[0]) { case IPCTL_SOURCEROUTE: - /* - * Don't allow this to change in a secure environment. - */ - if (newp && securelevel > 0) - return (EPERM); NET_LOCK(); - error = sysctl_int(oldp, oldlenp, newp, newlen, + error = sysctl_securelevel_int(oldp, oldlenp, newp, newlen, &ip_dosourceroute); NET_UNLOCK(); return (error); diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h index 29f82bcece3..6ff6e3cffaf 100644 --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sysctl.h,v 1.221 2022/01/11 23:59:55 jsg Exp $ */ +/* $OpenBSD: sysctl.h,v 1.222 2022/01/25 04:04:41 gnezdo Exp $ */ /* $NetBSD: sysctl.h,v 1.16 1996/04/09 20:55:36 cgd Exp $ */ /* @@ -1017,6 +1017,7 @@ typedef int (sysctlfn)(int *, u_int, void *, size_t *, void *, size_t, struct pr int sysctl_int_lower(void *, size_t *, void *, size_t, int *); int sysctl_int(void *, size_t *, void *, size_t, int *); int sysctl_rdint(void *, size_t *, void *, int); +int sysctl_securelevel_int(void *, size_t *, void *, size_t, int *); int sysctl_int_bounded(void *, size_t *, void *, size_t, int *, int, int); int sysctl_bounded_arr(const struct sysctl_bounded_args *, u_int, int *, u_int, void *, size_t *, void *, size_t); |