3party/crashpad
0
0
Fork 0
mirror of https://github.com/chromium/crashpad.git synced 2025-01-02 19:35:22 +08:00
Code Issues Projects Releases Wiki Activity
crashpad/util/mach/task_for_pid.h

60 lines
2.7 KiB
C
Raw Normal View History

Add TaskForPID(). This also transitions exception_port_tool to use TaskForPID(), so that it can be safely used as a setuid executable without giving permission to operate on any process on the system. It is difficult to provide a test for this function, because it must be running setuid root in order to do anything interesting. R=rsesek@chromium.org Review URL: https://codereview.chromium.org/728973002
2014-11-14 17:56:17 -05:00
// Copyright 2014 The Crashpad Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
#define CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
#include <mach/mach.h>
#include <sys/types.h>
namespace crashpad {
//! \brief Wraps `task_for_pid()`.
//!
//! This function exists to support `task_for_pid()` access checks in a setuid
//! environment. Normally, `task_for_pid()` can only return an arbitrary tasks
//! port when running as root or when taskgated(8) approves. When not running as
//! root, a series of access checks are perfomed to ensure that the running
//! process has permission to obtain the other process task port.
//!
//! It is possible to make an executable setuid root to give it broader
//! `task_for_pid()` access by bypassing taskgated(8) checks, but this also has
//! the effect of bypassing the access checks, allowing any process task port
//! to be obtained. In most situations, these access checks are desirable to
//! prevent security and privacy breaches.
//!
//! When running as setuid root, this function wraps `task_for_pid()`,
//! reimplementing those access checks. A process whose effective user ID is 0
//! and whose real user ID is nonzero is understood to be running setuid root.
//! In this case, the requested tasks real, effective, and saved set-user IDs
//! must all equal the running process real user ID, the requested task must
//! not have changed privileges, and the requested tasks set of all group IDs
//! (including its real, effective, and saved set-group IDs and supplementary
//! group list) must be a subset of the running process set of all group IDs.
//! These access checks mimic those that the kernel performs.
//!
//! When not running as setuid root, `task_for_pid()` is called directly,
//! without imposing any additional checks beyond what the kernel does.
//!
//! \param[in] pid The process ID of the task whose task port is desired.
//!
//! \return A send right to the task port if it could be obtained, or
//! `TASK_NULL` otherwise, with an error message logged. If a send right is
//! returned, the caller takes ownership of it.
task_t TaskForPID(pid_t pid);
} // namespace crashpad
#endif // CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
Reference in New Issue Copy Permalink