FreeBSD Mail Archives

Date:      Tue, 23 May 2017 16:59:24 +0000 (UTC)
From:      Steve Wills <swills@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r318751 - in head/sys: kern sys
Message-ID:  <201705231659.v4NGxOB8013882@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: swills (ports committer)
Date: Tue May 23 16:59:24 2017
New Revision: 318751
URL: https://svnweb.freebsd.org/changeset/base/318751

Log:
  Add security.bsd.see_jail_proc
  
  Add security.bsd.see_jail_proc sysctl to hide jail processes from non-root
  users
  
  Reviewed by:	jamie
  Approved by:	allanjude
  Relnotes:	yes
  Differential Revision:	https://reviews.freebsd.org/D10770

Modified:
  head/sys/kern/kern_prot.c
  head/sys/sys/proc.h

Modified: head/sys/kern/kern_prot.c
==============================================================================
--- head/sys/kern/kern_prot.c	Tue May 23 16:38:10 2017	(r318750)
+++ head/sys/kern/kern_prot.c	Tue May 23 16:59:24 2017	(r318751)
@@ -1386,6 +1386,35 @@ cr_canseeothergids(struct ucred *u1, str
 	return (0);
 }
 
+/*
+ * 'see_jail_proc' determines whether or not visibility of processes and
+ * sockets with credentials holding different jail ids is possible using a
+ * variety of system MIBs.
+ *
+ * XXX: data declarations should be together near the beginning of the file.
+ */
+
+static int	see_jail_proc = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
+    &see_jail_proc, 0,
+    "Unprivileged processes may see subjects/objects with different jail ids");
+
+/*-
+ * Determine if u1 "can see" the subject specified by u2, according to the
+ * 'see_jail_proc' policy.
+ * Returns: 0 for permitted, ESRCH otherwise
+ * Locks: none
+ * References: *u1 and *u2 must not change during the call
+ *             u1 may equal u2, in which case only one reference is required
+ */
+int
+cr_canseejailproc(struct ucred *u1, struct ucred *u2)
+{
+	if (u1->cr_uid == 0)
+		return (0);
+	return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+}
+
 /*-
  * Determine if u1 "can see" the subject specified by u2.
  * Returns: 0 for permitted, an errno value otherwise
@@ -1408,6 +1437,8 @@ cr_cansee(struct ucred *u1, struct ucred
 		return (error);
 	if ((error = cr_canseeothergids(u1, u2)))
 		return (error);
+	if ((error = cr_canseejailproc(u1, u2)))
+		return (error);
 	return (0);
 }
 

Modified: head/sys/sys/proc.h
==============================================================================
--- head/sys/sys/proc.h	Tue May 23 16:38:10 2017	(r318750)
+++ head/sys/sys/proc.h	Tue May 23 16:59:24 2017	(r318751)
@@ -988,6 +988,7 @@ int	cr_cansee(struct ucred *u1, struct u
 int	cr_canseesocket(struct ucred *cred, struct socket *so);
 int	cr_canseeothergids(struct ucred *u1, struct ucred *u2);
 int	cr_canseeotheruids(struct ucred *u1, struct ucred *u2);
+int	cr_canseejailproc(struct ucred *u1, struct ucred *u2);
 int	cr_cansignal(struct ucred *cred, struct proc *proc, int signum);
 int	enterpgrp(struct proc *p, pid_t pgid, struct pgrp *pgrp,
 	    struct session *sess);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705231659.v4NGxOB8013882>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation