diff options
author | dwmalone <dwmalone@FreeBSD.org> | 2001-06-24 12:18:27 +0000 |
---|---|---|
committer | dwmalone <dwmalone@FreeBSD.org> | 2001-06-24 12:18:27 +0000 |
commit | db54f212f80a6dc063aba54a6a776c519058e877 (patch) | |
tree | 8477270619bea510dd797ce0687af53dddef512b /sys/netinet/tcp_timewait.c | |
parent | 238662ef2f525a2d6bba9e46aa736b82aa2dc7fa (diff) | |
download | FreeBSD-src-db54f212f80a6dc063aba54a6a776c519058e877.zip FreeBSD-src-db54f212f80a6dc063aba54a6a776c519058e877.tar.gz |
Allow getcred sysctl to work in jailed root processes. Processes can
only do getcred calls for sockets which were created in the same jail.
This should allow the ident to work in a reasonable way within jails.
PR: 28107
Approved by: des, rwatson
Diffstat (limited to 'sys/netinet/tcp_timewait.c')
-rw-r--r-- | sys/netinet/tcp_timewait.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index a706056..221e541 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -900,7 +900,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -913,6 +913,9 @@ tcp_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -924,8 +927,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); +SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp_getcred, "S,xucred", "Get the xucred of a TCP connection"); #ifdef INET6 static int @@ -936,7 +940,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) struct inpcb *inp; int error, s, mapped = 0; - error = suser(req->p); + error = suser_xxx(0, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); @@ -965,6 +969,9 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS) error = ENOENT; goto out; } + error = u_cansee(req->p->p_ucred, inp->inp_socket->so_cred); + if (error) + goto out; bzero(&xuc, sizeof(xuc)); xuc.cr_uid = inp->inp_socket->so_cred->cr_uid; xuc.cr_ngroups = inp->inp_socket->so_cred->cr_ngroups; @@ -976,9 +983,9 @@ out: return (error); } -SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, CTLTYPE_OPAQUE|CTLFLAG_RW, - 0, 0, - tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); +SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred, + CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, + tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection"); #endif |