From owner-freebsd-bugs  Mon Feb 10  9:10:15 2003
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4109537B401
	for <freebsd-bugs@hub.freebsd.org>; Mon, 10 Feb 2003 09:10:10 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 041E243F93
	for <freebsd-bugs@hub.freebsd.org>; Mon, 10 Feb 2003 09:10:08 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1AHA8NS054275
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 10 Feb 2003 09:10:08 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1AHA8QH054274;
	Mon, 10 Feb 2003 09:10:08 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02EF537B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 09:08:12 -0800 (PST)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 37BCC43F93
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Feb 2003 09:08:11 -0800 (PST)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id EB5A93ABB3B; Mon, 10 Feb 2003 18:08:00 +0100 (CET)
Message-Id: <20030210170800.EB5A93ABB3B@milla.ask33.net>
Date: Mon, 10 Feb 2003 18:08:00 +0100 (CET)
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Reply-To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/48156: Bug in procfs(5) closed in jail.
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         48156
>Category:       kern
>Synopsis:       Bug in procfs(5) closed in jail.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 10 09:10:07 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Jakub Dawidek
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
cerb team
>Environment:
System: FreeBSD milla.ask33.net 4.7-STABLE FreeBSD 4.7-STABLE #12: Fri Jan 10 12:53:26 CET 2003 root@milla.ask33.net:/usr/obj/usr/src/sys/MILLA i386


>Description:
	There is a way to get list of running processes of main host
	when we are inside of jail and if procfs if mounted there.

	We can't get informations about running processes, but we can get
	their PIDs.
>How-To-Repeat:
	This simple programm shows how this works:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/jail.h>

#define	PID_MAX	99999

int
main(int argc, char *argv[])
{
	struct jail	j = { 0, "/", "test", 0 };
	char	filename[16];
	int	i;

	if (jail(&j) != 0 || chdir("/proc") != 0)
		exit(1);

	for (i = 0; i < PID_MAX; ++i) {
		snprintf(filename, sizeof(filename), "%u", i);
		if (access(filename, 0) == 0)
			printf("Process %u is running.\n", i);
	}

	exit(0);
}

>Fix:
	This patch fix this bug and fix ps_showallprocs problem too.

diff -ru procfs.orig/procfs.h procfs/procfs.h
--- procfs.orig/procfs.h	Tue Jan 22 18:22:59 2002
+++ procfs/procfs.h	Mon Feb 10 17:13:24 2003
@@ -100,6 +100,10 @@
        ((p2)->p_flag & (P_SUGID|P_INEXEC)) == 0) || \
       (suser_xxx((p1)->p_cred->pc_ucred, (p1), PRISON_ROOT) == 0))
 
+extern int	ps_showallprocs;
+#define	PROCS_CHECK(p1, p2) \
+	(PRISON_CHECK(p1, p2) && (ps_showallprocs || p_trespass(p1, p2) == 0))
+
 /*
  * Convert between pfsnode vnode
  */
diff -ru procfs.orig/procfs_vnops.c procfs/procfs_vnops.c
--- procfs.orig/procfs_vnops.c	Tue Jan 22 18:22:59 2002
+++ procfs/procfs_vnops.c	Mon Feb 10 18:02:36 2003
@@ -138,7 +138,7 @@
 	p2 = PFIND(pfs->pfs_pid);
 	if (p2 == NULL)
 		return (ENOENT);
-	if (pfs->pfs_pid && !PRISON_CHECK(ap->a_p, p2))
+	if (pfs->pfs_pid && !PROCS_CHECK(ap->a_p, p2))
 		return (ENOENT);
 
 	switch (pfs->pfs_type) {
@@ -446,6 +446,8 @@
 		if (procp == NULL || procp->p_cred == NULL ||
 		    procp->p_ucred == NULL)
 			return (ENOENT);
+		if (!PROCS_CHECK(ap->a_p, procp))
+			return (ENOENT);
 	}
 
 	error = 0;
@@ -734,6 +736,9 @@
 		if (p == NULL)
 			break;
 
+		if (!PROCS_CHECK(curproc, p))
+			break;
+
 		return (procfs_allocvp(dvp->v_mount, vpp, pid, Pproc));
 
 	case Pproc:
@@ -744,6 +749,9 @@
 		if (p == NULL)
 			break;
 
+		if (!PROCS_CHECK(curproc, p))
+			break;
+
 		for (pt = proc_targets, i = 0; i < nproc_targets; pt++, i++) {
 			if (cnp->cn_namelen == pt->pt_namlen &&
 			    bcmp(pt->pt_name, pname, cnp->cn_namelen) == 0 &&
@@ -827,7 +835,7 @@
 		p = PFIND(pfs->pfs_pid);
 		if (p == NULL)
 			break;
-		if (!PRISON_CHECK(curproc, p))
+		if (!PROCS_CHECK(curproc, p))
 			break;
 
 		for (pt = &proc_targets[i];
@@ -890,11 +898,11 @@
 					p = p->p_list.le_next;
 					if (!p)
 						goto done;
-					if (!PRISON_CHECK(curproc, p))
+					if (!PROCS_CHECK(curproc, p))
 						continue;
 					pcnt++;
 				}
-				while (!PRISON_CHECK(curproc, p)) {
+				while (!PROCS_CHECK(curproc, p)) {
 					p = p->p_list.le_next;
 					if (!p)
 						goto done;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message