diff options
| -rw-r--r-- | sys/kern/kern_prot.c | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 4a09fbc..0f0fc40 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1323,6 +1323,46 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2) return (0); } +/* + * 'see_other_gids' determines whether or not visibility of processes + * and sockets with credentials holding different real gids is possible + * using a variety of system MIBs. + * XXX: data declarations should be together near the beginning of the file. + */ +static int see_other_gids = 1; +SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW, + &see_other_gids, 0, + "Unprivileged processes may see subjects/objects with different real gid"); + +/* + * Determine if u1 can "see" the subject specified by u2, according to the + * 'see_other_gids' policy. + * Returns: 0 for permitted, ESRCH otherwise + * Locks: none + * References: *u1 and *u2 must not change during the call + * u1 may equal u2, in which case only one reference is required + */ +static int +cr_seeothergids(struct ucred *u1, struct ucred *u2) +{ + int i, match; + + if (!see_other_gids) { + match = 0; + for (i = 0; i < u1->cr_ngroups; i++) { + if (groupmember(u1->cr_groups[i], u2)) + match = 1; + if (match) + break; + } + if (!match) { + if (suser_cred(u1, PRISON_ROOT) != 0) + return (ESRCH); + } + } + return (0); +} + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1343,6 +1383,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) #endif if ((error = cr_seeotheruids(u1, u2))) return (error); + if ((error = cr_seeothergids(u1, u2))) + return (error); return (0); } @@ -1400,8 +1442,9 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) if ((error = mac_check_proc_signal(cred, proc, signum))) return (error); #endif - error = cr_seeotheruids(cred, proc->p_ucred); - if (error) + if ((error = cr_seeotheruids(cred, proc->p_ucred))) + return (error); + if ((error = cr_seeothergids(cred, proc->p_ucred))) return (error); /* @@ -1508,6 +1551,8 @@ p_cansched(struct thread *td, struct proc *p) #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) return (error); + if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) + return (error); if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid) return (0); if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid) @@ -1569,6 +1614,8 @@ p_candebug(struct thread *td, struct proc *p) #endif if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred))) return (error); + if ((error = cr_seeothergids(td->td_ucred, p->p_ucred))) + return (error); /* * Is p's group set a subset of td's effective group set? This @@ -1648,6 +1695,8 @@ cr_canseesocket(struct ucred *cred, struct socket *so) #endif if (cr_seeotheruids(cred, so->so_cred)) return (ENOENT); + if (cr_seeothergids(cred, so->so_cred)) + return (ENOENT); return (0); } |
