- Combine kern.ps_showallprocs and kern.ipc.showallsockets into

a single kern.security.seeotheruids_permitted, describes as: "Unprivileged processes may see subjects/objects with different real uid" NOTE: kern.ps_showallprocs exists in -STABLE, and therefore there is an API change. kern.ipc.showallsockets does not. - Check kern.security.seeotheruids_permitted in cr_cansee(). - Replace visibility calls to socheckuid() with cr_cansee() (retain the change to socheckuid() in ipfw, where it is used for rule-matching). - Remove prison_unpcb() and make use of cr_cansee() against the UNIX domain socket credential instead of comparing root vnodes for the UDS and the process. This allows multiple jails to share the same chroot() and not see each others UNIX domain sockets. - Remove unused socheckproc(). Now that cr_cansee() is used universally for socket visibility, a variety of policies are more consistently enforced, including uid-based restrictions and jail-based restrictions. This also better-supports the introduction of additional MAC models. Reviewed by: ps, billf Obtained from: TrustedBSD Project
2001-10-09 21:40:30 +00:00 · 2001-10-09 21:40:30 +00:00 · 8a7d8cc675
commit 8a7d8cc675
parent bc1ce487e9
8 changed files with 26 additions and 49 deletions
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@ -59,10 +59,6 @@ MALLOC_DEFINE(M_SESSION, "session", "session header");
 static MALLOC_DEFINE(M_PROC, "proc", "Proc structures");
 MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures");

-int ps_showallprocs = 1;
-SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW,
-    &ps_showallprocs, 0, "");
-
 static void pgdelete	__P((struct pgrp *));

 static void	orphanpg __P((struct pgrp *pg));
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@ -1299,7 +1299,6 @@ suser_xxx(cred, proc, flag)
 	return (0);
 }

-
 /*
 * Test (local, globale) securelevel values against passed required
 * securelevel.  _gt implements (level > securelevel), and _ge implements
@ -1357,6 +1356,16 @@ securelevel_ge(struct ucred *cr, int level)
 	}
 }

+/*
+ * kern_security_seeotheruids_permitted determines whether or not visibility
+ * of processes and sockets with credentials holding different real uid's
+ * is possible using a variety of system MIBs.
+ */
+static int	kern_security_seeotheruids_permitted = 1;
+SYSCTL_INT(_kern_security, OID_AUTO, seeotheruids_permitted,
+    CTLFLAG_RW, &kern_security_seeotheruids_permitted, 0,
+    "Unprivileged processes may see subjects/objects with different real uid");
+
 /*-
 * Determine if u1 "can see" the subject specified by u2.
 * Returns: 0 for permitted, an errno value otherwise
@ -1372,7 +1381,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2)

 	if ((error = prison_check(u1, u2)))
 		return (error);
-	if (!ps_showallprocs && u1->cr_ruid != u2->cr_ruid) {
+	if (!kern_security_seeotheruids_permitted &&
+	    u1->cr_ruid != u2->cr_ruid) {
 		if (suser_xxx(u1, NULL, PRISON_ROOT) != 0)
 			return (ESRCH);
 	}
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@ -92,10 +92,6 @@ static int somaxconn = SOMAXCONN;
 SYSCTL_INT(_kern_ipc, KIPC_SOMAXCONN, somaxconn, CTLFLAG_RW,
    &somaxconn, 0, "Maximum pending socket connection queue size");

-int showallsockets = 1;
-SYSCTL_INT(_kern_ipc, OID_AUTO, showallsockets, CTLFLAG_RW, &showallsockets,
-          0, "show users all other users pcb data");
-
 /*
 * Socket operation routines.
 * These routines are called by the routines in
@ -1659,18 +1655,3 @@ socheckuid(struct socket *so, uid_t uid)
 		return (0);
 	return (EPERM);
 }
-
-int
-socheckproc(struct socket *so, struct proc *p)
-{
-
-	if (p == NULL)
-		return (ESRCH);
-	if (socheckuid(so, p->p_ucred->cr_ruid) == 0)
-		return (0);
-	if (socheckuid(so, p->p_ucred->cr_uid) == 0)
-		return (0);
-	if (!suser_xxx(0, p, PRISON_ROOT))
-		return (0);
-	return (EPERM);
-}
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@ -802,16 +802,6 @@ unp_abort(unp)
 }
 #endif

-static int
-prison_unpcb(struct proc *p, struct unpcb *unp)
-{
-	if (!jailed(p->p_ucred))
-		return (0);
-	if (p->p_fd->fd_rdir == unp->unp_rvnode)
-		return (0);
-	return (1);
-}
-
 static int
 unp_pcblist(SYSCTL_HANDLER_ARGS)
 {
@ -859,9 +849,9 @@ unp_pcblist(SYSCTL_HANDLER_ARGS)
 	
 	for (unp = LIST_FIRST(head), i = 0; unp && i < n;
 	     unp = LIST_NEXT(unp, unp_link)) {
-		if (unp->unp_gencnt <= gencnt && !prison_unpcb(req->p, unp)) {
-			if (!showallsockets && socheckproc(unp->unp_socket,
-			    curthread->td_proc))
+		if (unp->unp_gencnt <= gencnt) {
+			if (cr_cansee(req->p->p_ucred,
+			    unp->unp_socket->so_cred))
 				continue;
 			unp_list[i++] = unp;
 		}
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@ -630,8 +630,8 @@ rip_pcblist(SYSCTL_HANDLER_ARGS)
 	for (inp = LIST_FIRST(ripcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
 		if (inp->inp_gencnt <= gencnt) {
-			if (!showallsockets && socheckproc(inp->inp_socket,
-			    curthread->td_proc))
+			if (cr_cansee(req->p->p_ucred, 
+			    inp->inp_socket->so_cred))
 				continue;
 			inp_list[i++] = inp;
 		}
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
-			if (!showallsockets && socheckproc(inp->inp_socket,
-			    curthread->td_proc))
+		if (inp->inp_gencnt <= gencnt) {
+			if (cr_cansee(req->p->p_ucred,
+			    inp->inp_socket->so_cred))
 				continue;
 			inp_list[i++] = inp;
 		}
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@ -854,9 +854,9 @@ tcp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(tcbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
-			if (!showallsockets && socheckproc(inp->inp_socket,
-			    curthread->td_proc))
+		if (inp->inp_gencnt <= gencnt) {
+			if (cr_cansee(req->p->p_ucred,
+			    inp->inp_socket->so_cred))
 				continue;
 			inp_list[i++] = inp;
 		}
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@ -579,9 +579,9 @@ udp_pcblist(SYSCTL_HANDLER_ARGS)
 	s = splnet();
 	for (inp = LIST_FIRST(udbinfo.listhead), i = 0; inp && i < n;
 	     inp = LIST_NEXT(inp, inp_list)) {
-		if (inp->inp_gencnt <= gencnt && !prison_xinpcb(req->p, inp)) {
-			if (!showallsockets && socheckproc(inp->inp_socket,
-			    curthread->td_proc))
+		if (inp->inp_gencnt <= gencnt) {
+			if (cr_cansee(req->p->p_ucred,
+			    inp->inp_socket->so_cred))
 				continue;
 			inp_list[i++] = inp;
 		}