Date: Mon, 10 Feb 2003 18:08:00 +0100 (CET) From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/48156: Bug in procfs(5) closed in jail. Message-ID: <20030210170800.EB5A93ABB3B@milla.ask33.net>
next in thread | raw e-mail | index | archive | help
>Number: 48156 >Category: kern >Synopsis: Bug in procfs(5) closed in jail. >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 10 09:10:07 PST 2003 >Closed-Date: >Last-Modified: >Originator: Pawel Jakub Dawidek >Release: FreeBSD 4.7-STABLE i386 >Organization: cerb team >Environment: System: FreeBSD milla.ask33.net 4.7-STABLE FreeBSD 4.7-STABLE #12: Fri Jan 10 12:53:26 CET 2003 root@milla.ask33.net:/usr/obj/usr/src/sys/MILLA i386 >Description: There is a way to get list of running processes of main host when we are inside of jail and if procfs if mounted there. We can't get informations about running processes, but we can get their PIDs. >How-To-Repeat: This simple programm shows how this works: #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/jail.h> #define PID_MAX 99999 int main(int argc, char *argv[]) { struct jail j = { 0, "/", "test", 0 }; char filename[16]; int i; if (jail(&j) != 0 || chdir("/proc") != 0) exit(1); for (i = 0; i < PID_MAX; ++i) { snprintf(filename, sizeof(filename), "%u", i); if (access(filename, 0) == 0) printf("Process %u is running.\n", i); } exit(0); } >Fix: This patch fix this bug and fix ps_showallprocs problem too. diff -ru procfs.orig/procfs.h procfs/procfs.h --- procfs.orig/procfs.h Tue Jan 22 18:22:59 2002 +++ procfs/procfs.h Mon Feb 10 17:13:24 2003 @@ -100,6 +100,10 @@ ((p2)->p_flag & (P_SUGID|P_INEXEC)) == 0) || \ (suser_xxx((p1)->p_cred->pc_ucred, (p1), PRISON_ROOT) == 0)) +extern int ps_showallprocs; +#define PROCS_CHECK(p1, p2) \ + (PRISON_CHECK(p1, p2) && (ps_showallprocs || p_trespass(p1, p2) == 0)) + /* * Convert between pfsnode vnode */ diff -ru procfs.orig/procfs_vnops.c procfs/procfs_vnops.c --- procfs.orig/procfs_vnops.c Tue Jan 22 18:22:59 2002 +++ procfs/procfs_vnops.c Mon Feb 10 18:02:36 2003 @@ -138,7 +138,7 @@ p2 = PFIND(pfs->pfs_pid); if (p2 == NULL) return (ENOENT); - if (pfs->pfs_pid && !PRISON_CHECK(ap->a_p, p2)) + if (pfs->pfs_pid && !PROCS_CHECK(ap->a_p, p2)) return (ENOENT); switch (pfs->pfs_type) { @@ -446,6 +446,8 @@ if (procp == NULL || procp->p_cred == NULL || procp->p_ucred == NULL) return (ENOENT); + if (!PROCS_CHECK(ap->a_p, procp)) + return (ENOENT); } error = 0; @@ -734,6 +736,9 @@ if (p == NULL) break; + if (!PROCS_CHECK(curproc, p)) + break; + return (procfs_allocvp(dvp->v_mount, vpp, pid, Pproc)); case Pproc: @@ -744,6 +749,9 @@ if (p == NULL) break; + if (!PROCS_CHECK(curproc, p)) + break; + for (pt = proc_targets, i = 0; i < nproc_targets; pt++, i++) { if (cnp->cn_namelen == pt->pt_namlen && bcmp(pt->pt_name, pname, cnp->cn_namelen) == 0 && @@ -827,7 +835,7 @@ p = PFIND(pfs->pfs_pid); if (p == NULL) break; - if (!PRISON_CHECK(curproc, p)) + if (!PROCS_CHECK(curproc, p)) break; for (pt = &proc_targets[i]; @@ -890,11 +898,11 @@ p = p->p_list.le_next; if (!p) goto done; - if (!PRISON_CHECK(curproc, p)) + if (!PROCS_CHECK(curproc, p)) continue; pcnt++; } - while (!PRISON_CHECK(curproc, p)) { + while (!PROCS_CHECK(curproc, p)) { p = p->p_list.le_next; if (!p) goto done; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030210170800.EB5A93ABB3B>