Add a sysctl, security.bsd.see_other_gids, similar in semantics

to see_other_uids but with the logical conversion. This is based on (but not identical to) the patch submitted by Samy Al Bahra. Submitted by: Samy Al Bahra <samy@kerneled.com>
2003-11-17 20:20:53 +00:00 · 2003-11-17 20:20:53 +00:00 · 64d19c2ea7
commit 64d19c2ea7
parent a2f046e874
1 changed files with 51 additions and 2 deletions
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1323,6 +1323,46 @@ cr_seeotheruids(struct ucred *u1, struct ucred *u2)
 	return (0);
 }

+/*
+ * 'see_other_gids' determines whether or not visibility of processes
+ * and sockets with credentials holding different real gids is possible
+ * using a variety of system MIBs.
+ * XXX: data declarations should be together near the beginning of the file.
+ */
+static int	see_other_gids = 1;
+SYSCTL_INT(_security_bsd, OID_AUTO, see_other_gids, CTLFLAG_RW,
+    &see_other_gids, 0,
+    "Unprivileged processes may see subjects/objects with different real gid");
+
+/*
+ * Determine if u1 can "see" the subject specified by u2, according to the
+ * 'see_other_gids' policy.
+ * Returns: 0 for permitted, ESRCH otherwise
+ * Locks: none
+ * References: *u1 and *u2 must not change during the call
+ *             u1 may equal u2, in which case only one reference is required
+ */
+static int
+cr_seeothergids(struct ucred *u1, struct ucred *u2)
+{
+	int i, match;
+	
+	if (!see_other_gids) {
+		match = 0;
+		for (i = 0; i < u1->cr_ngroups; i++) {
+			if (groupmember(u1->cr_groups[i], u2))
+				match = 1;
+			if (match)
+				break;
+		}
+		if (!match) {
+			if (suser_cred(u1, PRISON_ROOT) != 0)
+				return (ESRCH);
+		}
+	}
+	return (0);
+}
+
 /*-
 * Determine if u1 "can see" the subject specified by u2.
 * Returns: 0 for permitted, an errno value otherwise
@ -1343,6 +1383,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
 #endif
 	if ((error = cr_seeotheruids(u1, u2)))
 		return (error);
+	if ((error = cr_seeothergids(u1, u2)))
+		return (error);
 	return (0);
 }

@ -1400,8 +1442,9 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
 	if ((error = mac_check_proc_signal(cred, proc, signum)))
 		return (error);
 #endif
-	error = cr_seeotheruids(cred, proc->p_ucred);
-	if (error)
+	if ((error = cr_seeotheruids(cred, proc->p_ucred)))
+		return (error);
+	if ((error = cr_seeothergids(cred, proc->p_ucred)))
 		return (error);

 	/*
@ -1508,6 +1551,8 @@ p_cansched(struct thread *td, struct proc *p)
 #endif
 	if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 		return (error);
+	if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
+		return (error);
 	if (td->td_ucred->cr_ruid == p->p_ucred->cr_ruid)
 		return (0);
 	if (td->td_ucred->cr_uid == p->p_ucred->cr_ruid)
@ -1569,6 +1614,8 @@ p_candebug(struct thread *td, struct proc *p)
 #endif
 	if ((error = cr_seeotheruids(td->td_ucred, p->p_ucred)))
 		return (error);
+	if ((error = cr_seeothergids(td->td_ucred, p->p_ucred)))
+		return (error);

 	/*
 	 * Is p's group set a subset of td's effective group set?  This
@ -1648,6 +1695,8 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
 #endif
 	if (cr_seeotheruids(cred, so->so_cred))
 		return (ENOENT);
+	if (cr_seeothergids(cred, so->so_cred))
+		return (ENOENT);

 	return (0);
 }