Only allow users to see their own socket connections if

kern.ipc.showallsockets is set to 0. Submitted by: billf (with modifications by me) Inspired by: Dave McKay (aka pm aka Packet Magnet) Reviewed by: peter MFC after: 2 weeks
svn path=/head/; revision=84527
2001-10-05 07:06:32 +00:00 · 2001-10-05 07:06:32 +00:00 · 4787fd37af · 2020-12-20 02:59:44 +00:00
commit 4787fd37af
parent a1eb245d32
8 changed files with 62 additions and 9 deletions
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@ -92,6 +92,10 @@ static int somaxconn = SOMAXCONN;
 SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW,
    &somaxconn, 0, "Maximum pending socket connection queue size");

+int showallsockets = 1;
+SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets,
+          0, "show users all other users pcb data");
+
 /*
 * Socket operation routines.
 * These routines are called by the routines in
@ -1644,3 +1648,29 @@ filt_solisten(struct knote *kn, long hint)
 	kn->kn_data = so->so_qlen - so->so_incqlen;
 	return (! TAILQ_EMPTY(&so->so_comp));
 }
+
+int
+socheckuid(struct socket *so, uid_t uid)
+{
+
+	if (so == NULL)
+		return (EPERM);
+	if (so->so_cred->cr_uid == uid)
+		return (0);
+	return (EPERM);
+}
+
+int
+socheckproc(struct socket *so, struct proc *p)
+{
+
+	if (p == NULL)
+		return (ESRCH);
+	if (socheckuid(so, p->p_ucred->cr_ruid) == 0)
+		return (0);
+	if (socheckuid(so, p->p_ucred->cr_uid) == 0)
+		return (0);
+	if (!suser_xxx(0, p, PRISON_ROOT))
+		return (0);
+	return (EPERM);
+}
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -859,8 +859,12 @@ unp_pcblist(SYSCTL_HANDLER_ARGS)
 	
 	for (unp = LIST_FIRST(head), i = 0; unp && i < n;
 	     unp = LIST_NEXT(unp, unp_link)) {
-		if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp))
+		if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) {
+			if (!showallsockets && socheckproc(unp->unp_socket,
+			    curthread->td_proc))
+				continue;
 			unp_list[i++] = unp;
+		}
 	}
 	n = i;			/* in case we lost some during malloc */

--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@ -1346,8 +1346,7 @@ ip_fw_chk(struct ip **pip, int hlen,

 			    if (P && P->inp_socket) {
 				if (f->fw_flg & IP_FW_F_UID) {
-					if (P->inp_socket->so_cred->cr_uid !=
-					    f->fw_uid)
+					if (socheckuid(P->inp_socket, f->fw_uid))
 						continue;
 				} else if (!groupmember(f->fw_gid,
 					    P->inp_socket->so_cred))
@ -1375,8 +1374,7 @@ ip_fw_chk(struct ip **pip, int hlen,

 			    if (P && P->inp_socket) {
 				if (f->fw_flg & IP_FW_F_UID) {
-					if (P->inp_socket->so_cred->cr_uid !=
-					    f->fw_uid)
+					if (socheckuid(P->inp_socket, f->fw_uid))
 						continue;
 				} else if (!groupmember(f->fw_gid,
 					    P->inp_socket->so_cred))
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -43,6 +43,7 @@
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
+#include <sys/proc.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@ -628,8 +629,12 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt)
+		if (inp->inp_gencnt <= gencnt) {
+			if (!showallsockets && socheckproc(inp->inp_socket,
+			    curthread->td_proc))
+				continue;
 			inp_list[i++] = inp;
+		}
 	}
 	splx(s);
 	n = i;
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
+		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
+			if (!showallsockets && socheckproc(inp->inp_socket,
+			    curthread->td_proc))
+				continue;
 			inp_list[i++] = inp;
+		}
 	}
 	splx(s);
 	n = i;
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
+		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
+			if (!showallsockets && socheckproc(inp->inp_socket,
+			    curthread->td_proc))
+				continue;
 			inp_list[i++] = inp;
+		}
 	}
 	splx(s);
 	n = i;
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@ -579,8 +579,12 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp))
+		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
+			if (!showallsockets && socheckproc(inp->inp_socket,
+			    curthread->td_proc))
+				continue;
 			inp_list[i++] = inp;
+		}
 	}
 	splx(s);
 	n = i;
--- a/sys/sys/socketvar.h
+++ b/sys/sys/socketvar.h
@ -293,6 +293,7 @@ MALLOC_DECLARE(M_SONAME);
 MALLOC_DECLARE(M_ACCF);
 #endif

+extern int	showallsockets;
 extern int	maxsockets;
 extern u_long	sb_max;
 extern struct	vm_zone *socket_zone;
@ -409,6 +410,9 @@ int accept_filt_generic_mod_event __P((module_t mod, int event, void *data));
 SYSCTL_DECL(_net_inet_accf);
 #endif /* ACCEPT_FILTER_MOD */

+int	socheckuid __P((struct socket *so, uid_t uid));
+int	socheckproc __P((struct socket *so, struct proc *p));
+
 #endif /* _KERNEL */

 #endif /* !_SYS_SOCKETVAR_H_ */