diff options
| author | dwmalone <dwmalone@FreeBSD.org> | 2001-06-24 12:18:27 +0000 |
|---|---|---|
| committer | dwmalone <dwmalone@FreeBSD.org> | 2001-06-24 12:18:27 +0000 |
| commit | db54f212f80a6dc063aba54a6a776c519058e877 (patch) | |
| tree | 8477270619bea510dd797ce0687af53dddef512b | |
| parent | 238662ef2f525a2d6bba9e46aa736b82aa2dc7fa (diff) | |
| download | FreeBSD-src-db54f212f80a6dc063aba54a6a776c519058e877.zip FreeBSD-src-db54f212f80a6dc063aba54a6a776c519058e877.tar.gz | |
Allow getcred sysctl to work in jailed root processes. Processes can
only do getcred calls for sockets which were created in the same jail.
This should allow the ident to work in a reasonable way within jails.
PR: 28107
Approved by: des, rwatson
| -rw-r--r-- | sys/netinet/tcp_subr.c | 21 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 21 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 10 |
3 files changed, 35 insertions, 17 deletions
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index a706056..221e541 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -924,8 +927,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); +SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); #ifdef INET6 static int @@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s, mapped = 0; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -976,9 +983,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, - tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); +SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); #endif diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index a706056..221e541 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -924,8 +927,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); +SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); #ifdef INET6 static int @@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s, mapped = 0; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -976,9 +983,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, - tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); +SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); #endif diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index d388538..06f049c 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -628,7 +628,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -641,6 +641,9 @@ udp_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -652,8 +655,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, udp_getcred, "S,xucred", "Get the xucred of a UDP connection"); +SYSCTL_PROC(_net_inet_udp, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + udp_getcred, "S,xucred", "Get the xucred of a UDP connection"); static int udp_output(inp, m, addr, control, p) |
