From 8a7d8cc675b1af282ea9d2d5fa1cc2debe9d307b Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Tue, 9 Oct 2001 21:40:30 +0000 Subject: [PATCH] - Combine kern.ps_showallprocs and kern.ipc.showallsockets into a single kern.security.seeotheruids_permitted, describes as: "Unprivileged processes may see subjects/objects with different real uid" NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is an API change. kern.ipc.showallsockets does not. - Check kern.security.seeotheruids_permitted in cr_cansee(). - Replace visibility calls to socheckuid() with cr_cansee() (retain the change to socheckuid() in ipfw, where it is used for rule-matching). - Remove prison_unpcb() and make use of cr_cansee() against the UNIX domain socket credential instead of comparing root vnodes for the UDS and the process. This allows multiple jails to share the same chroot() and not see each others UNIX domain sockets. - Remove unused socheckproc(). Now that cr_cansee() is used universally for socket visibility, a variety of policies are more consistently enforced, including uid-based restrictions and jail-based restrictions. This also better-supports the introduction of additional MAC models. Reviewed by: ps, billf Obtained from: TrustedBSD Project --- sys/kern/kern_proc.c | 4 ---- sys/kern/kern_prot.c | 14 ++++++++++++-- sys/kern/uipc_socket.c | 19 ------------------- sys/kern/uipc_usrreq.c | 16 +++------------- sys/netinet/raw_ip.c | 4 ++-- sys/netinet/tcp_subr.c | 6 +++--- sys/netinet/tcp_timewait.c | 6 +++--- sys/netinet/udp_usrreq.c | 6 +++--- 8 files changed, 26 insertions(+), 49 deletions(-) diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index 5b0e960aa07..6647f73785d 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -59,10 +59,6 @@ MALLOC_DEFINE(M_SESSION, "session", "session header"); static MALLOC_DEFINE(M_PROC, "proc", "Proc structures"); MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures"); -int ps_showallprocs = 1; -SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW, - &ps_showallprocs, 0, ""); - static void pgdelete __P((struct pgrp *)); static void orphanpg __P((struct pgrp *pg)); diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index bc42d54009c..bc718e44888 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1299,7 +1299,6 @@ suser_xxx(cred, proc, flag) return (0); } - /* * Test (local, globale) securelevel values against passed required * securelevel. _gt implements (level > securelevel), and _ge implements @@ -1357,6 +1356,16 @@ securelevel_ge(struct ucred *cr, int level) } } +/* + * kern_security_seeotheruids_permitted determines whether or not visibility + * of processes and sockets with credentials holding different real uid's + * is possible using a variety of system MIBs. + */ +static int kern_security_seeotheruids_permitted = 1; +SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted, + CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0, + "Unprivileged processes may see subjects/objects with different real uid"); + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1372,7 +1381,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); - if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) { + if (!kern_security_seeotheruids_permitted && + u1->cr_ruid != u2->cr_ruid) { if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) return (ESRCH); } diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 94b6b0079e0..65ef837df8a 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -92,10 +92,6 @@ static int somaxconn = SOMAXCONN; SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); -int showallsockets = 1; -SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets, - 0, "show users all other users pcb data"); - /* * Socket operation routines. * These routines are called by the routines in @@ -1659,18 +1655,3 @@ socheckuid(struct socket *so, uid_t uid) return (0); return (EPERM); } - -int -socheckproc(struct socket *so, struct proc *p) -{ - - if (p == NULL) - return (ESRCH); - if (socheckuid(so, p->p_ucred->cr_ruid) == 0) - return (0); - if (socheckuid(so, p->p_ucred->cr_uid) == 0) - return (0); - if (!suser_xxx(0, p, PRISON_ROOT)) - return (0); - return (EPERM); -} diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 747dbe20812..12af404d8fd 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -802,16 +802,6 @@ unp_abort(unp) } #endif -static int -prison_unpcb(struct proc *p, struct unpcb *unp) -{ - if (!jailed(p->p_ucred)) - return (0); - if (p->p_fd->fd_rdir == unp->unp_rvnode) - return (0); - return (1); -} - static int unp_pcblist(SYSCTL_HANDLER_ARGS) { @@ -859,9 +849,9 @@ unp_pcblist(SYSCTL_HANDLER_ARGS) for (unp = LIST_FIRST(head), i = 0; unp && i < n; unp = LIST_NEXT(unp, unp_link)) { - if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) { - if (!showallsockets && socheckproc(unp->unp_socket, - curthread->td_proc)) + if (unp->unp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + unp->unp_socket->so_cred)) continue; unp_list[i++] = unp; } diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 64c836ef866..1bad6ddfcac 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -630,8 +630,8 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { if (inp->inp_gencnt <= gencnt) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 32b307912b8..99916c6810d 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 32b307912b8..99916c6810d 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index e9330641c69..463f8b3239e 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -579,9 +579,9 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { - if (!showallsockets && socheckproc(inp->inp_socket, - curthread->td_proc)) + if (inp->inp_gencnt <= gencnt) { + if (cr_cansee(req->p->p_ucred, + inp->inp_socket->so_cred)) continue; inp_list[i++] = inp; }