From 7974ca1cdbee949f5e453eea112be265b425c407 Mon Sep 17 00:00:00 2001 From: Olivier Certner Date: Fri, 18 Aug 2023 01:54:37 +0200 Subject: [PATCH] cr_canseejailproc(): New privilege, no direct check for UID 0 Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of explicitly testing for UID 0 (the former has been the rule for almost 20 years). As a consequence, cr_canseejailproc() now abides by the 'security.bsd.suser_enabled' sysctl and MAC policies. Update the MAC policies Biba and LOMAC, and prison_priv_check() so that they don't deny this privilege. This preserves the existing behavior (the 'root' user is not restricted, even when jailed, unless 'security.bsd.suser_enabled' is not 0) and is consistent with what is done for the related policies/privileges (PRIV_SEEOTHERGIDS, PRIV_SEEOTHERUIDS). Reviewed by: emaste (earlier version), mhorne MFC after: 2 weeks Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40626 --- sys/kern/kern_jail.c | 1 + sys/kern/kern_prot.c | 7 +++++-- sys/security/mac_biba/mac_biba.c | 1 + sys/security/mac_lomac/mac_lomac.c | 1 + sys/sys/priv.h | 1 + 5 files changed, 9 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 0c1f565638da..66bcd77ca8d2 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -3939,6 +3939,7 @@ prison_priv_check(struct ucred *cred, int priv) */ case PRIV_SEEOTHERGIDS: case PRIV_SEEOTHERUIDS: + case PRIV_SEEJAILPROC: /* * Jail implements inter-process debugging limits already, so diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 19e0b78c6709..ed15cb566499 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1426,9 +1426,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW, int cr_canseejailproc(struct ucred *u1, struct ucred *u2) { - if (u1->cr_uid == 0) + if (see_jail_proc || /* Policy deactivated. */ + u1->cr_prison == u2->cr_prison || /* Same jail. */ + priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */ return (0); - return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0); + + return (ESRCH); } /*- diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c index 6948548503e1..5d66e2fd4b9b 100644 --- a/sys/security/mac_biba/mac_biba.c +++ b/sys/security/mac_biba/mac_biba.c @@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv) */ case PRIV_SEEOTHERGIDS: case PRIV_SEEOTHERUIDS: + case PRIV_SEEJAILPROC: break; /* diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c index 05bd0da06960..aa9abf458721 100644 --- a/sys/security/mac_lomac/mac_lomac.c +++ b/sys/security/mac_lomac/mac_lomac.c @@ -1702,6 +1702,7 @@ lomac_priv_check(struct ucred *cred, int priv) */ case PRIV_SEEOTHERGIDS: case PRIV_SEEOTHERUIDS: + case PRIV_SEEJAILPROC: break; /* diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 45cb5bab4275..a61de8d32fe0 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -105,6 +105,7 @@ #define PRIV_CRED_SETRESGID 58 /* setresgid. */ #define PRIV_SEEOTHERGIDS 59 /* Exempt bsd.seeothergids. */ #define PRIV_SEEOTHERUIDS 60 /* Exempt bsd.seeotheruids. */ +#define PRIV_SEEJAILPROC 61 /* Exempt from bsd.see_jail_proc. */ /* * Debugging privileges.