From d8370f667da0469f2618c75d4827cd30d389f233 Mon Sep 17 00:00:00 2001 From: rwatson Date: Fri, 22 Mar 2002 02:28:26 +0000 Subject: [PATCH] Break out the "see_other_uids" policy check from the various method-based inter-process security checks. To do this, introduce a new cr_seeotheruids(u1, u2) function, which encapsulates the "see_other_uids" logic. Call out to this policy following the jail security check for all of {debug,sched,see,signal} inter-process checks. This more consistently enforces the check, and makes the check easy to modify. Eventually, it may be that this check should become a MAC policy, loaded via a module. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- sys/kern/kern_prot.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index a259919807dc..74f25bf7d3ac 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1391,6 +1391,25 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_other_uids, CTLFLAG_RW, &see_other_uids, 0, "Unprivileged processes may see subjects/objects with different real uid"); +/*- + * Determine if u1 "can see" the subject specified by u2, according to the + * 'see_other_uids' policy. + * Returns: 0 for permitted, ESRCH otherwise + * Locks: none + * References: *u1 and *u2 must not change during the call + * u1 may equal u2, in which case only one reference is required + */ +static int +cr_seeotheruids(struct ucred *u1, struct ucred *u2) +{ + + if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { + if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) + return (ESRCH); + } + return (0); +} + /*- * Determine if u1 "can see" the subject specified by u2. * Returns: 0 for permitted, an errno value otherwise @@ -1405,10 +1424,8 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = prison_check(u1, u2))) return (error); - if (!see_other_uids && u1->cr_ruid != u2->cr_ruid) { - if (suser_xxx(u1, NULL, PRISON_ROOT) != 0) - return (ESRCH); - } + if ((error = cr_seeotheruids(u1, u2))) + return (error); return (0); } @@ -1444,6 +1461,9 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) * same jail as cred, if cred is in jail. */ error = prison_check(cred, proc->p_ucred); + if (error) + return (error); + error = cr_seeotheruids(cred, proc->p_ucred); if (error) return (error); @@ -1539,6 +1559,8 @@ p_cansched(struct proc *p1, struct proc *p2) return (0); if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) + return (error); if (p1->p_ucred->cr_ruid == p2->p_ucred->cr_ruid) return (0); if (p1->p_ucred->cr_uid == p2->p_ucred->cr_ruid) @@ -1592,6 +1614,8 @@ p_candebug(struct proc *p1, struct proc *p2) return (0); if ((error = prison_check(p1->p_ucred, p2->p_ucred))) return (error); + if ((error = cr_seeotheruids(p1->p_ucred, p2->p_ucred))) + return (error); /* * Is p2's group set a subset of p1's effective group set? This