From owner-freebsd-jail@freebsd.org Wed May 17 15:08:01 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 14E4CD5C787 for ; Wed, 17 May 2017 15:08:01 +0000 (UTC) (envelope-from steve@mouf.net) Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mouf.net", Issuer "mouf.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B47CE1DC3 for ; Wed, 17 May 2017 15:08:00 +0000 (UTC) (envelope-from steve@mouf.net) Received: from [10.0.1.92] (cpe-071-065-239-148.nc.res.rr.com [71.65.239.148] (may be forged)) (authenticated bits=0) by mouf.net (8.14.9/8.14.9) with ESMTP id v4HF7rvR020591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Wed, 17 May 2017 15:07:59 GMT (envelope-from steve@mouf.net) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mouf.net; s=mail; t=1495033679; bh=4DGpYxsFpnxCnSlurhH4g0e1volJunhR2WfxrIJPKJs=; h=To:From:Subject:Date; b=McnDlweOO/kN9tzVPgkVaSh2R53R4W/hfDfNW/Yw2/xxGNhEPIsXwqBYJJG/NqDGb 8/NyKr3GtZYS9d6zXfftnmryluOgrw8PygUIi3KW5yqAqQnWUpQ4xnrpUhH+Ms9r4L bla4mBBb+uqc99aphKhWbAyico0xXl8jBtZVNhDc= To: freebsd-jail@freebsd.org From: Steve Wills Subject: hiding jail processes from users Message-ID: <2e15fbf6-cfb9-6e9a-856d-3602dd1b92fb@mouf.net> Date: Wed, 17 May 2017 11:07:52 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="pvJxcK6EaFMOOsBogmW1TXcoR7Nc96lop" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (mouf.net [199.48.129.64]); Wed, 17 May 2017 15:07:59 +0000 (UTC) X-Spam-Status: No, score=-1.0 required=4.5 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mouf.net X-Virus-Scanned: clamav-milter 0.99.2 at mouf.net X-Virus-Status: Clean X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 May 2017 15:08:01 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --pvJxcK6EaFMOOsBogmW1TXcoR7Nc96lop Content-Type: multipart/mixed; boundary="6bxN20UFPKgl4ff1nv0MCrvJiR5QX0NCb"; protected-headers="v1" From: Steve Wills To: freebsd-jail@freebsd.org Message-ID: <2e15fbf6-cfb9-6e9a-856d-3602dd1b92fb@mouf.net> Subject: hiding jail processes from users --6bxN20UFPKgl4ff1nv0MCrvJiR5QX0NCb Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, I noticed that users can see jail processes even when security.bsd.see_other_uids=3D0 and security.bsd.see_other_gids=3D0 are s= et, if the process happens to be the same UID/GID as the user. So I created a patch which adds a security.bsd.see_jail_proc sysctl which hides jail processes from non-root users regardless of see_other_*. The patch is her= e: https://reviews.freebsd.org/D10770 Any feedback would be appreciated. Thanks, Steve --6bxN20UFPKgl4ff1nv0MCrvJiR5QX0NCb-- --pvJxcK6EaFMOOsBogmW1TXcoR7Nc96lop Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQGjBAEBCgCNFiEEmPpBSlwqDvnP0K0N9c9isyB7G6EFAlkcZ0lfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk4 RkE0MTRBNUMyQTBFRjlDRkQwQUQwREY1Q0Y2MkIzMjA3QjFCQTEPHHN0ZXZlQG1v dWYubmV0AAoJEPXPYrMgexuh0K0H/3rQWXUIoFvZTlnnZpps50S1IE2YN5u5RA7D ZjCcRD/e1DN6CZNw92XiF6chLdo/19NJ7PZ+FyXSCM3s2wE2G88PPgVEs5lCRyab EL06OxxyQk1MKdBuM4mw9IUcaHFtlrvLhsry463/QBaup2CqJPJCyDA+U8IhYol4 aFzaPjOKH2K7UdKvl6q/rzf//1ihajsNS10bOpFlmNzTgnWFaLj6AxXfwh6UHqi1 S42HEJ+xYc12846ABgTDrVez5D/eIzV4jcQNS3LY2mNrUdiipd1MFVT/APiR3oI4 SjNK2o8kPS9U3Ozb+qyz3KezFeR2OhYVUue4Ih8HlMkYtpuF+a8= =NgX7 -----END PGP SIGNATURE----- --pvJxcK6EaFMOOsBogmW1TXcoR7Nc96lop--