From owner-freebsd-bugs Sun Apr 9 6:40: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 599D737B728 for ; Sun, 9 Apr 2000 06:40:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id GAA81171; Sun, 9 Apr 2000 06:40:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from ada.eu.org (marvin.enst.fr [137.194.161.2]) by hub.freebsd.org (Postfix) with ESMTP id 72D1837B506 for ; Sun, 9 Apr 2000 06:30:01 -0700 (PDT) (envelope-from sam@ada.eu.org) Received: from antinea.enst.fr (antinea.enst.fr [137.194.160.145]) by ada.eu.org (Postfix) with ESMTP id B49C11905C for ; Sun, 9 Apr 2000 15:29:38 +0200 (CEST) Received: by antinea.enst.fr (Postfix, from userid 1000) id A609E3D9; Sun, 9 Apr 2000 15:29:32 +0200 (CEST) Message-Id: <20000409132932.A609E3D9@antinea.enst.fr> Date: Sun, 9 Apr 2000 15:29:32 +0200 (CEST) From: sam@ada.eu.org Reply-To: sam@ada.eu.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/17878: Jail user can change priority of outside processes Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17878 >Category: kern >Synopsis: Jail user can change priority of outside processes >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 9 06:40:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Samuel Tardieu >Release: FreeBSD 5.0-CURRENT i386 >Organization: TELECOM Paris >Environment: Any jail wil do. >Description: A user (such as root) in a jail is able to use setpriority() (e.g., through the renice command) to lower the priority level (increase the nice value) of a process which lives outside. >How-To-Repeat: From within the jail, try # renice 5 PID where PID is a regular process which lives out of the jail (and thus cannot be seen using ps from within the jail). >Fix: The following patch should correct this. However, I wonder if functions such as pfind() should not take another argument which would be the curproc value when applicable. It would require changing all the pfind() calls in the kernel, but would add an extra security. Of course, processes iterators would still have to be modified to honor the jail. Also, note that real-time priorities may suffer from the same problem. --- kern_resource.c.orig Sun Apr 9 12:06:38 2000 +++ kern_resource.c Sun Apr 9 12:31:53 2000 @@ -86,7 +86,7 @@ p = curp; else p = pfind(uap->who); - if (p == 0) + if (p == 0 || !PRISON_CHECK(curp, p)) break; low = p->p_nice; break; @@ -98,6 +98,8 @@ pg = curp->p_pgrp; else if ((pg = pgfind(uap->who)) == NULL) break; + if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members))) + break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { if (p->p_nice < low) low = p->p_nice; @@ -110,7 +112,8 @@ uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) if (p->p_ucred->cr_uid == uap->who && - p->p_nice < low) + p->p_nice < low && + PRISON_CHECK(curp, p)) low = p->p_nice; break; @@ -146,7 +149,7 @@ p = curp; else p = pfind(uap->who); - if (p == 0) + if (p == 0 || !PRISON_CHECK(curp, p)) break; error = donice(curp, p, uap->prio); found++; @@ -159,6 +162,8 @@ pg = curp->p_pgrp; else if ((pg = pgfind(uap->who)) == NULL) break; + if (!PRISON_CHECK(curp, LIST_FIRST(&pg->pg_members))) + break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { error = donice(curp, p, uap->prio); found++; @@ -170,7 +175,8 @@ if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who) { + if (p->p_ucred->cr_uid == uap->who && + PRISON_CHECK(curp, p)) { error = donice(curp, p, uap->prio); found++; } @@ -239,7 +245,7 @@ else p = pfind(uap->pid); - if (p == 0) + if (p == 0 || !PRISON_CHECK(curp, p)) return (ESRCH); switch (uap->function) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message