diff options
author | rwatson <rwatson@FreeBSD.org> | 2001-10-09 21:40:30 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2001-10-09 21:40:30 +0000 |
commit | f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8 (patch) | |
tree | 27edf05b443ffb7ba251232e556388f4f7b779ec /sys/kern/kern_prot.c | |
parent | b80c438c9dcc5c4280cd8aa405c772bbef095f61 (diff) | |
download | FreeBSD-src-f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8.zip FreeBSD-src-f51eaee62f1741aa1e1ae2c617c4219ef53e3cd8.tar.gz |
- Combine kern.ps_showallprocs and kern.ipc.showallsockets into
a single kern.security.seeotheruids_permitted, describes as:
"Unprivileged processes may see subjects/objects with different real uid"
NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is
an API change. kern.ipc.showallsockets does not.
- Check kern.security.seeotheruids_permitted in cr_cansee().
- Replace visibility calls to socheckuid() with cr_cansee() (retain
the change to socheckuid() in ipfw, where it is used for rule-matching).
- Remove prison_unpcb() and make use of cr_cansee() against the UNIX
domain socket credential instead of comparing root vnodes for the
UDS and the process. This allows multiple jails to share the same
chroot() and not see each others UNIX domain sockets.
- Remove unused socheckproc().
Now that cr_cansee() is used universally for socket visibility, a variety
of policies are more consistently enforced, including uid-based
restrictions and jail-based restrictions. This also better-supports
the introduction of additional MAC models.
Reviewed by: ps, billf
Obtained from: TrustedBSD Project
Diffstat (limited to 'sys/kern/kern_prot.c')
-rw-r--r-- | sys/kern/kern_prot.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index bc42d54..bc718e4 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1299,7 +1299,6 @@ suser_xxx(cred, proc, flag) return (0); } - /* * Test (local, globale) securelevel values against passed required * securelevel. _gt implements (level > securelevel), and _ge implements @@ -1357,6 +1356,16 @@ securelevel_ge(struct ucred *cr, int level) } } +/* + * kern_security_seeotheruids_permitted determines whether or not visibility + * of processes and sockets with credentials holding different real uid's + * is possible using a variety of system MIBs. + */ +static int kern_security_seeotheruids_permitted = 1; +SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, + CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, + "Unprivileged processes may see subjects/objects with different real uid"); + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1372,7 +1381,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); - if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { + if (!kern_security_seeotheruids_permitted && + u1->cr_ruid != u2->cr_ruid) { if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) return (ESRCH); } |