When exporting file descriptor data for threads invoking the

kern.file sysctl, don't return information about processes that
fail p_cansee(td, p).  This prevents sockstat and related
programs from seeing file descriptors owned by processes not
in the same jail as the thread, as well as having implications
for MAC, etc.

This is a partial solution: it permits an information leak about
the number of descriptors in the sizing calculation (but this is
not new information, you can also get it from kern.openfiles),
and doesn't attempt to mask file descriptors based on the
properties of the descriptor, only the process referencing it.
However, it provides most of what you want under most
circumstances, without complicating the locking.

PR:	54211
Based on a patch submitted by:	Pawel Jakub Dawidek <nick@garage.freebsd.pl>

1 files changed, 11 insertions, 0 deletions

diff --git a/sys/kern/kern_descrip.c b/sys/kern/kern_descrip.c
index d8542c8..c832ef2 100644
--- a/sys/kern/kern_descrip.c
+++ b/sys/kern/kern_descrip.c
@@ -2273,6 +2273,13 @@ sysctl_kern_file(SYSCTL_HANDLER_ARGS)
 	struct proc *p;
 	int error, n;
 
+	/*
+	 * Note: because the number of file descriptors is calculated
+	 * in different ways for sizing vs returning the data,
+	 * there is information leakage from the first loop.  However,
+	 * it is of a similar order of magnitude to the leakage from
+	 * global system statistics such as kern.openfiles.
+	 */
 	sysctl_wire_old_buffer(req, 0);
 	if (req->oldptr == NULL) {
 		n = 16;		/* A slight overestimate. */
@@ -2295,6 +2302,10 @@ sysctl_kern_file(SYSCTL_HANDLER_ARGS)
 	sx_slock(&allproc_lock);
 	LIST_FOREACH(p, &allproc, p_list) {
 		PROC_LOCK(p);
+		if (p_cansee(req->td, p) != 0) {
+			PROC_UNLOCK(p);
+			continue;
+		}
 		xf.xf_pid = p->p_pid;
 		xf.xf_uid = p->p_ucred->cr_uid;
 		PROC_UNLOCK(p);