Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Feb 2003 18:08:00 +0100 (CET)
From:      Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/48156: Bug in procfs(5) closed in jail.
Message-ID:  <20030210170800.EB5A93ABB3B@milla.ask33.net>

next in thread | raw e-mail | index | archive | help

>Number:         48156
>Category:       kern
>Synopsis:       Bug in procfs(5) closed in jail.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 10 09:10:07 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Jakub Dawidek
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
cerb team
>Environment:
System: FreeBSD milla.ask33.net 4.7-STABLE FreeBSD 4.7-STABLE #12: Fri Jan 10 12:53:26 CET 2003 root@milla.ask33.net:/usr/obj/usr/src/sys/MILLA i386


>Description:
	There is a way to get list of running processes of main host
	when we are inside of jail and if procfs if mounted there.

	We can't get informations about running processes, but we can get
	their PIDs.
>How-To-Repeat:
	This simple programm shows how this works:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/jail.h>

#define	PID_MAX	99999

int
main(int argc, char *argv[])
{
	struct jail	j = { 0, "/", "test", 0 };
	char	filename[16];
	int	i;

	if (jail(&j) != 0 || chdir("/proc") != 0)
		exit(1);

	for (i = 0; i < PID_MAX; ++i) {
		snprintf(filename, sizeof(filename), "%u", i);
		if (access(filename, 0) == 0)
			printf("Process %u is running.\n", i);
	}

	exit(0);
}

>Fix:
	This patch fix this bug and fix ps_showallprocs problem too.

diff -ru procfs.orig/procfs.h procfs/procfs.h
--- procfs.orig/procfs.h	Tue Jan 22 18:22:59 2002
+++ procfs/procfs.h	Mon Feb 10 17:13:24 2003
@@ -100,6 +100,10 @@
        ((p2)->p_flag & (P_SUGID|P_INEXEC)) == 0) || \
       (suser_xxx((p1)->p_cred->pc_ucred, (p1), PRISON_ROOT) == 0))
 
+extern int	ps_showallprocs;
+#define	PROCS_CHECK(p1, p2) \
+	(PRISON_CHECK(p1, p2) && (ps_showallprocs || p_trespass(p1, p2) == 0))
+
 /*
  * Convert between pfsnode vnode
  */
diff -ru procfs.orig/procfs_vnops.c procfs/procfs_vnops.c
--- procfs.orig/procfs_vnops.c	Tue Jan 22 18:22:59 2002
+++ procfs/procfs_vnops.c	Mon Feb 10 18:02:36 2003
@@ -138,7 +138,7 @@
 	p2 = PFIND(pfs->pfs_pid);
 	if (p2 == NULL)
 		return (ENOENT);
-	if (pfs->pfs_pid && !PRISON_CHECK(ap->a_p, p2))
+	if (pfs->pfs_pid && !PROCS_CHECK(ap->a_p, p2))
 		return (ENOENT);
 
 	switch (pfs->pfs_type) {
@@ -446,6 +446,8 @@
 		if (procp == NULL || procp->p_cred == NULL ||
 		    procp->p_ucred == NULL)
 			return (ENOENT);
+		if (!PROCS_CHECK(ap->a_p, procp))
+			return (ENOENT);
 	}
 
 	error = 0;
@@ -734,6 +736,9 @@
 		if (p == NULL)
 			break;
 
+		if (!PROCS_CHECK(curproc, p))
+			break;
+
 		return (procfs_allocvp(dvp->v_mount, vpp, pid, Pproc));
 
 	case Pproc:
@@ -744,6 +749,9 @@
 		if (p == NULL)
 			break;
 
+		if (!PROCS_CHECK(curproc, p))
+			break;
+
 		for (pt = proc_targets, i = 0; i < nproc_targets; pt++, i++) {
 			if (cnp->cn_namelen == pt->pt_namlen &&
 			    bcmp(pt->pt_name, pname, cnp->cn_namelen) == 0 &&
@@ -827,7 +835,7 @@
 		p = PFIND(pfs->pfs_pid);
 		if (p == NULL)
 			break;
-		if (!PRISON_CHECK(curproc, p))
+		if (!PROCS_CHECK(curproc, p))
 			break;
 
 		for (pt = &proc_targets[i];
@@ -890,11 +898,11 @@
 					p = p->p_list.le_next;
 					if (!p)
 						goto done;
-					if (!PRISON_CHECK(curproc, p))
+					if (!PROCS_CHECK(curproc, p))
 						continue;
 					pcnt++;
 				}
-				while (!PRISON_CHECK(curproc, p)) {
+				while (!PROCS_CHECK(curproc, p)) {
 					p = p->p_list.le_next;
 					if (!p)
 						goto done;
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030210170800.EB5A93ABB3B>