diff options
| -rw-r--r-- | sys/kern/uipc_socket.c | 30 | ||||
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 6 | ||||
| -rw-r--r-- | sys/netinet/ip_fw.c | 6 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 7 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 6 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 6 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 6 | ||||
| -rw-r--r-- | sys/sys/socketvar.h | 4 |
8 files changed, 62 insertions, 9 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 0b40522..94b6b00 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -92,6 +92,10 @@ static int somaxconn = SOMAXCONN; SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); +int showallsockets = 1; +SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets, + 0, "show users all other users pcb data"); + /* * Socket operation routines. * These routines are called by the routines in @@ -1644,3 +1648,29 @@ filt_solisten(struct knote *kn, long hint) kn->kn_data = so->so_qlen - so->so_incqlen; return (! TAILQ_EMPTY(&so->so_comp)); } + +int +socheckuid(struct socket *so, uid_t uid) +{ + + if (so == NULL) + return (EPERM); + if (so->so_cred->cr_uid == uid) + return (0); + return (EPERM); +} + +int +socheckproc(struct socket *so, struct proc *p) +{ + + if (p == NULL) + return (ESRCH); + if (socheckuid(so, p->p_ucred->cr_ruid) == 0) + return (0); + if (socheckuid(so, p->p_ucred->cr_uid) == 0) + return (0); + if (!suser_xxx(0, p, PRISON_ROOT)) + return (0); + return (EPERM); +} diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 7480773..747dbe2 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -859,8 +859,12 @@ unp_pcblist(SYSCTL_HANDLER_ARGS) for (unp = LIST_FIRST(head), i = 0; unp && i < n; unp = LIST_NEXT(unp, unp_link)) { - if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) + if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) { + if (!showallsockets && socheckproc(unp->unp_socket, + curthread->td_proc)) + continue; unp_list[i++] = unp; + } } n = i; /* in case we lost some during malloc */ diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index fbd2e90..320672c 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -1346,8 +1346,7 @@ again: if (P && P->inp_socket) { if (f->fw_flg & IP_FW_F_UID) { - if (P->inp_socket->so_cred->cr_uid != - f->fw_uid) + if (socheckuid(P->inp_socket, f->fw_uid)) continue; } else if (!groupmember(f->fw_gid, P->inp_socket->so_cred)) @@ -1375,8 +1374,7 @@ again: if (P && P->inp_socket) { if (f->fw_flg & IP_FW_F_UID) { - if (P->inp_socket->so_cred->cr_uid != - f->fw_uid) + if (socheckuid(P->inp_socket, f->fw_uid)) continue; } else if (!groupmember(f->fw_gid, P->inp_socket->so_cred)) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 54c30ac..64c836e 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -43,6 +43,7 @@ #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mbuf.h> +#include <sys/proc.h> #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -628,8 +629,12 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt) + if (inp->inp_gencnt <= gencnt) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index b575415..32b3079 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index b575415..32b3079 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index a9efeab..e933064 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -579,8 +579,12 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 1e2553e..f8fa0da 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -293,6 +293,7 @@ MALLOC_DECLARE(M_SONAME); MALLOC_DECLARE(M_ACCF); #endif +extern int showallsockets; extern int maxsockets; extern u_long sb_max; extern struct vm_zone *socket_zone; @@ -409,6 +410,9 @@ int accept_filt_generic_mod_event __P((module_t mod, int event, void *data)); SYSCTL_DECL(_net_inet_accf); #endif /* ACCEPT_FILTER_MOD */ +int socheckuid __P((struct socket *so, uid_t uid)); +int socheckproc __P((struct socket *so, struct proc *p)); + #endif /* _KERNEL */ #endif /* !_SYS_SOCKETVAR_H_ */ |
