diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-10-09 21:40:30 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-10-09 21:40:30 +0000 |
| commit | f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8 (patch) | |
| tree | 27edf05b443ffb7ba251232e556388f4f7b779ec | |
| parent | b80c438c9dcc5c4280cd8aa405c772bbef095f61 (diff) | |
| download | FreeBSD-src-f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8.zip FreeBSD-src-f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8.tar.gz | |
- Combine kern.ps_showallprocs and kern.ipc.showallsockets into
a single kern.security.seeotheruids_permitted, describes as:
"Unprivileged processes may see subjects/objects with different real uid"
NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is
an API change. kern.ipc.showallsockets does not.
- Check kern.security.seeotheruids_permitted in cr_cansee().
- Replace visibility calls to socheckuid() with cr_cansee() (retain
the change to socheckuid() in ipfw, where it is used for rule-matching).
- Remove prison_unpcb() and make use of cr_cansee() against the UNIX
domain socket credential instead of comparing root vnodes for the
UDS and the process. This allows multiple jails to share the same
chroot() and not see each others UNIX domain sockets.
- Remove unused socheckproc().
Now that cr_cansee() is used universally for socket visibility, a variety
of policies are more consistently enforced, including uid-based
restrictions and jail-based restrictions. This also better-supports
the introduction of additional MAC models.
Reviewed by: ps, billf
Obtained from: TrustedBSD Project
| -rw-r--r-- | sys/kern/kern_proc.c | 4 | ||||
| -rw-r--r-- | sys/kern/kern_prot.c | 14 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 19 | ||||
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 16 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 4 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 6 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 6 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 6 |
8 files changed, 26 insertions, 49 deletions
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index 5b0e960..6647f73 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -59,10 +59,6 @@ MALLOC_DEFINE(M_SESSION, "session", "session header"); static MALLOC_DEFINE(M_PROC, "proc", "Proc structures"); MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures"); -int ps_showallprocs = 1; -SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW, - &ps_showallprocs, 0, ""); - static void pgdelete __P((struct pgrp *)); static void orphanpg __P((struct pgrp *pg)); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index bc42d54..bc718e4 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1299,7 +1299,6 @@ suser_xxx(cred, proc, flag) return (0); } - /* * Test (local, globale) securelevel values against passed required * securelevel. _gt implements (level > securelevel), and _ge implements @@ -1357,6 +1356,16 @@ securelevel_ge(struct ucred *cr, int level) } } +/* + * kern_security_seeotheruids_permitted determines whether or not visibility + * of processes and sockets with credentials holding different real uid's + * is possible using a variety of system MIBs. + */ +static int kern_security_seeotheruids_permitted = 1; +SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, + CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, + "Unprivileged processes may see subjects/objects with different real uid"); + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1372,7 +1381,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); - if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { + if (!kern_security_seeotheruids_permitted && + u1->cr_ruid != u2->cr_ruid) { if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) return (ESRCH); } diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 94b6b00..65ef837 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -92,10 +92,6 @@ static int somaxconn = SOMAXCONN; SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); -int showallsockets = 1; -SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets, - 0, "show users all other users pcb data"); - /* * Socket operation routines. * These routines are called by the routines in @@ -1659,18 +1655,3 @@ socheckuid(struct socket *so, uid_t uid) return (0); return (EPERM); } - -int -socheckproc(struct socket *so, struct proc *p) -{ - - if (p == NULL) - return (ESRCH); - if (socheckuid(so, p->p_ucred->cr_ruid) == 0) - return (0); - if (socheckuid(so, p->p_ucred->cr_uid) == 0) - return (0); - if (!suser_xxx(0, p, PRISON_ROOT)) - return (0); - return (EPERM); -} diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 747dbe2..12af404 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -803,16 +803,6 @@ unp_abort(unp) #endif static int -prison_unpcb(struct proc *p, struct unpcb *unp) -{ - if (!jailed(p->p_ucred)) - return (0); - if (p->p_fd->fd_rdir == unp->unp_rvnode) - return (0); - return (1); -} - -static int unp_pcblist(SYSCTL_HANDLER_ARGS) { int error, i, n; @@ -859,9 +849,9 @@ unp_pcblist(SYSCTL_HANDLER_ARGS) for (unp = LIST_FIRST(head), i = 0; unp && i < n; unp = LIST_NEXT(unp, unp_link)) { - if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) { - if (!showallsockets && socheckproc(unp->unp_socket, - curthread->td_proc)) + if (unp->unp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + unp->unp_socket->so_cred)) continue; unp_list[i++] = unp; } diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 64c836e..1bad6dd 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -630,8 +630,8 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 32b3079..99916c6 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 32b3079..99916c6 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index e933064..463f8b3 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -579,9 +579,9 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } |
