From 4787fd37afe99cf1467e11d9946669b59b4f0e92 Mon Sep 17 00:00:00 2001 From: Paul Saab Date: Fri, 5 Oct 2001 07:06:32 +0000 Subject: [PATCH] Only allow users to see their own socket connections if kern.ipc.showallsockets is set to 0. Submitted by: billf (with modifications by me) Inspired by: Dave McKay (aka pm aka Packet Magnet) Reviewed by: peter MFC after: 2 weeks --- sys/kern/uipc_socket.c | 30 ++++++++++++++++++++++++++++++ sys/kern/uipc_usrreq.c | 6 +++++- sys/netinet/ip_fw.c | 6 ++---- sys/netinet/raw_ip.c | 7 ++++++- sys/netinet/tcp_subr.c | 6 +++++- sys/netinet/tcp_timewait.c | 6 +++++- sys/netinet/udp_usrreq.c | 6 +++++- sys/sys/socketvar.h | 4 ++++ 8 files changed, 62 insertions(+), 9 deletions(-) diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 0b4052269aca..94b6b0079e0d 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -92,6 +92,10 @@ static int somaxconn = SOMAXCONN; SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW, &somaxconn, 0, "Maximum pending socket connection queue size"); +int showallsockets = 1; +SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets, + 0, "show users all other users pcb data"); + /* * Socket operation routines. * These routines are called by the routines in @@ -1644,3 +1648,29 @@ filt_solisten(struct knote *kn, long hint) kn->kn_data = so->so_qlen - so->so_incqlen; return (! TAILQ_EMPTY(&so->so_comp)); } + +int +socheckuid(struct socket *so, uid_t uid) +{ + + if (so == NULL) + return (EPERM); + if (so->so_cred->cr_uid == uid) + return (0); + return (EPERM); +} + +int +socheckproc(struct socket *so, struct proc *p) +{ + + if (p == NULL) + return (ESRCH); + if (socheckuid(so, p->p_ucred->cr_ruid) == 0) + return (0); + if (socheckuid(so, p->p_ucred->cr_uid) == 0) + return (0); + if (!suser_xxx(0, p, PRISON_ROOT)) + return (0); + return (EPERM); +} diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 74807739fa5b..747dbe20812b 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -859,8 +859,12 @@ unp_pcblist(SYSCTL_HANDLER_ARGS) for (unp = LIST_FIRST(head), i = 0; unp && i < n; unp = LIST_NEXT(unp, unp_link)) { - if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) + if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) { + if (!showallsockets && socheckproc(unp->unp_socket, + curthread->td_proc)) + continue; unp_list[i++] = unp; + } } n = i; /* in case we lost some during malloc */ diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index fbd2e90613b2..320672c1cc6c 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -1346,8 +1346,7 @@ ip_fw_chk(struct ip **pip, int hlen, if (P && P->inp_socket) { if (f->fw_flg & IP_FW_F_UID) { - if (P->inp_socket->so_cred->cr_uid != - f->fw_uid) + if (socheckuid(P->inp_socket, f->fw_uid)) continue; } else if (!groupmember(f->fw_gid, P->inp_socket->so_cred)) @@ -1375,8 +1374,7 @@ ip_fw_chk(struct ip **pip, int hlen, if (P && P->inp_socket) { if (f->fw_flg & IP_FW_F_UID) { - if (P->inp_socket->so_cred->cr_uid != - f->fw_uid) + if (socheckuid(P->inp_socket, f->fw_uid)) continue; } else if (!groupmember(f->fw_gid, P->inp_socket->so_cred)) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 54c30ac63902..64c836ef866e 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -43,6 +43,7 @@ #include #include #include +#include #include #include #include @@ -628,8 +629,12 @@ rip_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt) + if (inp->inp_gencnt <= gencnt) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index b575415632fa..32b307912b88 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index b575415632fa..32b307912b88 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -854,8 +854,12 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index a9efeab33f45..e9330641c69c 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -579,8 +579,12 @@ udp_pcblist(SYSCTL_HANDLER_ARGS) s = splnet(); for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n; inp = LIST_NEXT(inp, inp_list)) { - if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) + if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) { + if (!showallsockets && socheckproc(inp->inp_socket, + curthread->td_proc)) + continue; inp_list[i++] = inp; + } } splx(s); n = i; diff --git a/sys/sys/socketvar.h b/sys/sys/socketvar.h index 1e2553e887dc..f8fa0da58c08 100644 --- a/sys/sys/socketvar.h +++ b/sys/sys/socketvar.h @@ -293,6 +293,7 @@ MALLOC_DECLARE(M_SONAME); MALLOC_DECLARE(M_ACCF); #endif +extern int showallsockets; extern int maxsockets; extern u_long sb_max; extern struct vm_zone *socket_zone; @@ -409,6 +410,9 @@ int accept_filt_generic_mod_event __P((module_t mod, int event, void *data)); SYSCTL_DECL(_net_inet_accf); #endif /* ACCEPT_FILTER_MOD */ +int socheckuid __P((struct socket *so, uid_t uid)); +int socheckproc __P((struct socket *so, struct proc *p)); + #endif /* _KERNEL */ #endif /* !_SYS_SOCKETVAR_H_ */