Sophie: systemtap-1:1.3-1.2.mga1 src

systemtap-1.3-1.2.mga1.src.rpm

commit e75e70e736ea53078eaa9fd36a5f7186e3e2235c
Author: Josh Stone <jistone@redhat.com>
Date:   Fri Jun 24 14:21:26 2011 -0700

    rhbz716476: Don't allow path-based auth for uprobes
    
    For users that are only members of stapusr, and not stapdev, we only
    allow loading modules that are either signed with a trusted certificate
    or located in controlled paths.  For the script itself, that path is
    /lib/modules/.../systemtap/, and for uprobes it is the runtime.  When
    this policy was first written, uprobes only ever came from the runtime
    path, so the path check just returned 1 always.
    
    Later, commit 474d17ad added an optional argument to staprun -u, to
    allow the user to specify their own signed copy of uprobes to load.
    Unfortunately, if presented with an unsigned module, that would still
    fall back to the path check, which blissfully approved it anyway.
    
    Our policy is now that stapusr can only load a signed uprobes.ko, so the
    path check for uprobes now unconditionally returns 0.

diff --git a/runtime/staprun/staprun_funcs.c b/runtime/staprun/staprun_funcs.c
index 74eef9c..82754d4 100644
--- a/runtime/staprun/staprun_funcs.c
+++ b/runtime/staprun/staprun_funcs.c
@@ -387,8 +387,10 @@ check_stap_module_path(const char *module_path, int module_fd)
 }
 
 /*
- * Members of the 'stapusr' group can load the uprobes module freely,
- * since it is loaded from a fixed path in the installed runtime.
+ * Don't allow path-based authorization for the uprobes module at all.
+ * Members of the 'stapusr' group can load a signed uprobes module, but
+ * nothing else.  Later we could consider allowing specific paths, like
+ * the installed runtime or /lib/modules/...
  *
  * Returns: -1 on errors, 0 on failure, 1 on success.
  */
@@ -398,7 +400,7 @@ check_uprobes_module_path (
   int module_fd __attribute__ ((unused))
 )
 {
-  return 1;
+  return 0;
 }
 
 /*
@@ -596,10 +598,8 @@ void assert_uprobes_module_permissions(
 	if (check_signature_rc == MODULE_ALTERED)
 		exit(-1);
 #else
-	/* If we don't have NSS, then the uprobes module is considered trusted.
-	   Otherwise a member of the group 'stapusr' will not be able to load it.
-	 */
-	check_signature_rc = MODULE_OK;
+	/* If we don't have NSS, the uprobes module is considered untrusted. */
+	check_signature_rc = MODULE_UNTRUSTED;
 #endif
 
 	/* root can still load this module.  */