system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 10:48:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

cr_canseejailproc(): New privilege, no direct check for UID 0

Browse source 
Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
explicitly testing for UID 0 (the former has been the rule for almost 20
years).

As a consequence, cr_canseejailproc() now abides by the
'security.bsd.suser_enabled' sysctl and MAC policies.

Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
they don't deny this privilege.  This preserves the existing behavior
(the 'root' user is not restricted, even when jailed, unless
'security.bsd.suser_enabled' is not 0) and is consistent with what is
done for the related policies/privileges (PRIV_SEEOTHERGIDS,
PRIV_SEEOTHERUIDS).

Reviewed by:            emaste (earlier version), mhorne
MFC after:              2 weeks
Sponsored by:           Kumacom SAS
Differential Revision:  https://reviews.freebsd.org/D40626
This commit is contained in:
Olivier Certner 2023-08-18 01:54:37 +02:00 committed by Mitchell Horne
parent 62d3f57c22
commit 7974ca1cdb
5 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sys/kern/kern_jail.c
View file

@ -3939,6 +3939,7 @@ prison_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
case PRIV_SEEJAILPROC:
/*
* Jail implements inter-process debugging limits already, so

7
sys/kern/kern_prot.c
View file

@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
int
cr_canseejailproc(struct ucred *u1, struct ucred *u2)
{
if (u1->cr_uid == 0)
if (see_jail_proc || /* Policy deactivated. */
u1->cr_prison == u2->cr_prison || /* Same jail. */
priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
return (0);
return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
return (ESRCH);
}
/*-

1
sys/security/mac_biba/mac_biba.c
View file

@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
case PRIV_SEEJAILPROC:
break;
/*

1
sys/security/mac_lomac/mac_lomac.c
View file

@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv)
*/
case PRIV_SEEOTHERGIDS:
case PRIV_SEEOTHERUIDS:
case PRIV_SEEJAILPROC:
break;
/*

1
sys/sys/priv.h
View file

@ -105,6 +105,7 @@
#define PRIV_CRED_SETRESGID 58 /* setresgid. */
#define PRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */
#define PRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */
#define PRIV_SEEJAILPROC 61 /* Exempt from bsd.see_jail_proc. */
/*
* Debugging privileges.