Date: Tue, 23 May 2017 16:59:24 +0000 (UTC) From: Steve Wills <swills@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r318751 - in head/sys: kern sys Message-ID: <201705231659.v4NGxOB8013882@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: swills (ports committer) Date: Tue May 23 16:59:24 2017 New Revision: 318751 URL: https://svnweb.freebsd.org/changeset/base/318751 Log: Add security.bsd.see_jail_proc Add security.bsd.see_jail_proc sysctl to hide jail processes from non-root users Reviewed by: jamie Approved by: allanjude Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10770 Modified: head/sys/kern/kern_prot.c head/sys/sys/proc.h Modified: head/sys/kern/kern_prot.c ============================================================================== --- head/sys/kern/kern_prot.c Tue May 23 16:38:10 2017 (r318750) +++ head/sys/kern/kern_prot.c Tue May 23 16:59:24 2017 (r318751) @@ -1386,6 +1386,35 @@ cr_canseeothergids(struct ucred *u1, str return (0); } +/* + * 'see_jail_proc' determines whether or not visibility of processes and + * sockets with credentials holding different jail ids is possible using a + * variety of system MIBs. + * + * XXX: data declarations should be together near the beginning of the file. + */ + +static int see_jail_proc = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, + &see_jail_proc, 0, + "Unprivileged processes may see subjects/objects with different jail ids"); + +/*- + * Determine if u1 "can see" the subject specified by u2, according to the + * 'see_jail_proc' policy. + * Returns: 0 for permitted, ESRCH otherwise + * Locks: none + * References: *u1 and *u2 must not change during the call + * u1 may equal u2, in which case only one reference is required + */ +int +cr_canseejailproc(struct ucred *u1, struct ucred *u2) +{ + if (u1->cr_uid == 0) + return (0); + return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0); +} + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1408,6 +1437,8 @@ cr_cansee(struct ucred *u1, struct ucred return (error); if ((error = cr_canseeothergids(u1, u2))) return (error); + if ((error = cr_canseejailproc(u1, u2))) + return (error); return (0); } Modified: head/sys/sys/proc.h ============================================================================== --- head/sys/sys/proc.h Tue May 23 16:38:10 2017 (r318750) +++ head/sys/sys/proc.h Tue May 23 16:59:24 2017 (r318751) @@ -988,6 +988,7 @@ int cr_cansee(struct ucred *u1, struct u int cr_canseesocket(struct ucred *cred, struct socket *so); int cr_canseeothergids(struct ucred *u1, struct ucred *u2); int cr_canseeotheruids(struct ucred *u1, struct ucred *u2); +int cr_canseejailproc(struct ucred *u1, struct ucred *u2); int cr_cansignal(struct ucred *cred, struct proc *proc, int signum); int enterpgrp(struct proc *p, pid_t pgid, struct pgrp *pgrp, struct session *sess);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705231659.v4NGxOB8013882>