OLD | NEW |
(Empty) | |
| 1 // Copyright 2014 The Crashpad Authors. All rights reserved. |
| 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at |
| 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 // See the License for the specific language governing permissions and |
| 13 // limitations under the License. |
| 14 |
| 15 #ifndef CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_ |
| 16 #define CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_ |
| 17 |
| 18 #include <mach/mach.h> |
| 19 #include <sys/types.h> |
| 20 |
| 21 namespace crashpad { |
| 22 |
| 23 //! \brief Wraps `task_for_pid()`. |
| 24 //! |
| 25 //! This function exists to support `task_for_pid()` access checks in a setuid |
| 26 //! environment. Normally, `task_for_pid()` can only return an arbitrary task’s |
| 27 //! port when running as root or when taskgated(8) approves. When not running as |
| 28 //! root, a series of access checks are perfomed to ensure that the running |
| 29 //! process has permission to obtain the other process’ task port. |
| 30 //! |
| 31 //! It is possible to make an executable setuid root to give it broader |
| 32 //! `task_for_pid()` access by bypassing taskgated(8) checks, but this also has |
| 33 //! the effect of bypassing the access checks, allowing any process’ task port |
| 34 //! to be obtained. In most situations, these access checks are desirable to |
| 35 //! prevent security and privacy breaches. |
| 36 //! |
| 37 //! When running as setuid root, this function wraps `task_for_pid()`, |
| 38 //! reimplementing those access checks. A process whose effective user ID is 0 |
| 39 //! and whose real user ID is nonzero is understood to be running setuid root. |
| 40 //! In this case, the requested task’s real, effective, and saved set-user IDs |
| 41 //! must all equal the running process’ real user ID, the requested task must |
| 42 //! not have changed privileges, and the requested task’s set of all group IDs |
| 43 //! (including its real, effective, and saved set-group IDs and supplementary |
| 44 //! group list) must be a subset of the running process’ set of all group IDs. |
| 45 //! These access checks mimic those that the kernel performs. |
| 46 //! |
| 47 //! When not running as setuid root, `task_for_pid()` is called directly, |
| 48 //! without imposing any additional checks beyond what the kernel does. |
| 49 //! |
| 50 //! \param[in] pid The process ID of the task whose task port is desired. |
| 51 //! |
| 52 //! \return A send right to the task port if it could be obtained, or |
| 53 //! `TASK_NULL` otherwise, with an error message logged. If a send right is |
| 54 //! returned, the caller takes ownership of it. |
| 55 task_t TaskForPID(pid_t pid); |
| 56 |
| 57 } // namespace crashpad |
| 58 |
| 59 #endif // CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_ |
OLD | NEW |