diff options
| -rw-r--r-- | sys/kern/kern_jail.c | 9 | ||||
| -rw-r--r-- | sys/kern/kern_resource.c | 18 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 9 | ||||
| -rw-r--r-- | sys/sys/jail.h | 1 |
4 files changed, 31 insertions, 6 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 90c9aa8..af18a5e 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -34,6 +34,11 @@ SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, &jail_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); +int jail_socket_unixiproute_only = 1; +SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, + &jail_socket_unixiproute_only, 0, + "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); + int jail(p, uap) struct proc *p; @@ -126,7 +131,9 @@ prison_if(struct proc *p, struct sockaddr *sa) struct sockaddr_in *sai = (struct sockaddr_in*) sa; int ok; - if (sai->sin_family != AF_INET) + if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) + ok = 1; + else if (sai->sin_family != AF_INET) ok = 0; else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr)) ok = 1; diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 2c6478d..11039ad 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -88,6 +88,8 @@ getpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; low = p->p_nice; break; @@ -99,7 +101,7 @@ getpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - if (p->p_nice < low) + if ((PRISON_CHECK(curp, p) && p->p_nice < low)) low = p->p_nice; } break; @@ -109,7 +111,8 @@ getpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who && + if (PRISON_CHECK(curp, p) && + p->p_ucred->cr_uid == uap->who && p->p_nice < low) low = p->p_nice; break; @@ -148,6 +151,8 @@ setpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; error = donice(curp, p, uap->prio); found++; break; @@ -160,8 +165,10 @@ setpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - error = donice(curp, p, uap->prio); - found++; + if (PRISON_CHECK(curp, p)) { + error = donice(curp, p, uap->prio); + found++; + } } break; } @@ -170,7 +177,8 @@ setpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who) { + if (p->p_ucred->cr_uid == uap->who && + PRISON_CHECK(curp, p)) { error = donice(curp, p, uap->prio); found++; } diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 76495e1..7313811 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -53,6 +53,7 @@ #include <sys/signalvar.h> #include <sys/sysctl.h> #include <sys/uio.h> +#include <sys/jail.h> #include <vm/vm_zone.h> #include <machine/limits.h> @@ -133,6 +134,14 @@ socreate(dom, aso, type, proto, p) prp = pffindproto(dom, proto, type); else prp = pffindtype(dom, type); + + if (p->p_prison && jail_socket_unixiproute_only && + prp->pr_domain->dom_family != PF_LOCAL && + prp->pr_domain->dom_family != PF_INET && + prp->pr_domain->dom_family != PF_ROUTE) { + return (EPROTONOSUPPORT); + } + if (prp == 0 || prp->pr_usrreqs->pru_attach == 0) return (EPROTONOSUPPORT); if (prp->pr_type != type) diff --git a/sys/sys/jail.h b/sys/sys/jail.h index a9e9861..0d07b6c 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -47,6 +47,7 @@ struct prison { * Sysctl-set variables that determine global jail policy */ extern int jail_set_hostname_allowed; +extern int jail_socket_unixiproute_only; #endif /* !_KERNEL */ #endif /* !_SYS_JAIL_H_ */ |
