diff options
| author | rwatson <rwatson@FreeBSD.org> | 2002-03-22 02:28:26 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2002-03-22 02:28:26 +0000 |
| commit | d8370f667da0469f2618c75d4827cd30d389f233 (patch) | |
| tree | 56b81ee24418a5df5f35b03ef356052ff15731d1 /sys/kern/kern_prot.c | |
| parent | 0b20191705a346bc322deac818912bd4eab96a1b (diff) | |
| download | FreeBSD-src-d8370f667da0469f2618c75d4827cd30d389f233.zip FreeBSD-src-d8370f667da0469f2618c75d4827cd30d389f233.tar.gz | |
Break out the "see_other_uids" policy check from the various
method-based inter-process security checks. To do this, introduce
a new cr_seeotheruids(u1, u2) function, which encapsulates the
"see_other_uids" logic. Call out to this policy following the
jail security check for all of {debug,sched,see,signal} inter-process
checks. This more consistently enforces the check, and makes the
check easy to modify. Eventually, it may be that this check should
become a MAC policy, loaded via a module.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'sys/kern/kern_prot.c')
| -rw-r--r-- | sys/kern/kern_prot.c | 32 |
1 files changed, 28 insertions, 4 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index a259919..74f25bf 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1392,6 +1392,25 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, "Unprivileged processes may see subjects/objects with different real uid"); /*- + * Determine if u1 "can see" the subject specified by u2, according to the + * 'see_other_uids' policy. + * Returns: 0 for permitted, ESRCH otherwise + * Locks: none + * References: *u1 and *u2 must not change during the call + * u1 may equal u2, in which case only one reference is required + */ +static int +cr_seeotheruids(struct ucred *u1, struct ucred *u2) +{ + + if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { + if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) + return (ESRCH); + } + return (0); +} + +/*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise * Locks: none @@ -1405,10 +1424,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); - if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) - return (ESRCH); - } + if ((error = cr_seeotheruids(u1, u2))) + return (error); return (0); } @@ -1446,6 +1463,9 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) error = prison_check(cred, proc->p_ucred); if (error) return (error); + error = cr_seeotheruids(cred, proc->p_ucred); + if (error) + return (error); /* * UNIX signal semantics depend on the status of the P_SUGID @@ -1539,6 +1559,8 @@ p_cansched(struct proc *p1, struct proc *p2) return (0); if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) + return (error); if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) return (0); if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) @@ -1592,6 +1614,8 @@ p_candebug(struct proc *p1, struct proc *p2) return (0); if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) + return (error); /* * Is p2's group set a subset of p1's effective group set? This |
