Date: Sat, 9 Sep 2006 10:06:52 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 105883 for review Message-ID: <200609091006.k89A6q5Q025934@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=105883 Change 105883 by rwatson@rwatson_sesame on 2006/09/09 10:06:18 Annotate inconsistencies in procfs access control. Annotate the oddness of WITNESS doing a privilege checkn in a sysctl. Annotate the oddness of uipc_mqueue with respect to jail. Update vfs_mount.c so that overriding the owner during mount is based on vfs_admin, which is generally allowed in jail; this is separate from other privilege checks elsewhere in the mount process. Complete rename of priv_vfs_mountowner. Convert vfs_syscalls.c to use the admin privilege rather than the revoke privilege. Annotate that the raw socket decision would be better made in the jail code than in the raw socket code. Convert IPv6 to allow privileged ports to be used in jail, consistent with IPv4. Don't allow managing IPSEC in jail. Don't limit querying netinet IPv6 pcb information in jail based on a privilege check, there are separate visibility checks for that. In mac_portacl, exempt jailed root, similar to other places where root can bind ports. Affected files ... .. //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/subr_witness.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c#3 edit .. //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#3 edit .. //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c#3 edit .. //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c#3 edit .. //depot/projects/trustedbsd/priv/sys/netinet6/ipsec.c#3 edit .. //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c#3 edit .. //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h#3 edit .. //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c#3 edit Differences ... ==== //depot/projects/trustedbsd/priv/sys/fs/procfs/procfs_ioctl.c#3 (text+ko) ==== @@ -92,6 +92,9 @@ * XXXRW: Is this specific check required here, as * p_candebug() should implement it, or other checks * are missing. + * + * XXXRW: Other debugging privileges are granted in + * jail, why isn't this? */ error = priv_check(td, PRIV_DEBUG_SUGID); if (error) ==== //depot/projects/trustedbsd/priv/sys/kern/subr_witness.c#3 (text+ko) ==== @@ -533,6 +533,9 @@ error = sysctl_handle_int(oidp, &value, 0, req); if (error != 0 || req->newptr == NULL) return (error); + /* + * XXXRW: Why a priv check here? + */ error = priv_check(req->td, PRIV_WITNESS); if (error != 0) return (error); ==== //depot/projects/trustedbsd/priv/sys/kern/uipc_mqueue.c#3 (text+ko) ==== @@ -954,6 +954,10 @@ sx_assert(&pn->mn_info->mi_lock, SX_LOCKED); + /* + * XXXRW: Other instances of the message queue primitive are + * allowed in jail? + */ if (ucred->cr_uid != pn->mn_uid && (error = priv_check_cred(ucred, PRIV_MQ_ADMIN, 0)) != 0) error = EACCES; ==== //depot/projects/trustedbsd/priv/sys/kern/vfs_mount.c#3 (text+ko) ==== @@ -908,7 +908,8 @@ return (error); } if (va.va_uid != td->td_ucred->cr_uid) { - error = priv_check(td, PRIV_VFS_ADMIN); + error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, + SUSER_ALLOWJAIL); if (error) { vput(vp); return (error); ==== //depot/projects/trustedbsd/priv/sys/kern/vfs_subr.c#3 (text+ko) ==== @@ -407,7 +407,7 @@ if ((mp->mnt_flag & MNT_USER) == 0 || mp->mnt_cred->cr_uid != td->td_ucred->cr_uid) { - if ((error = priv_check(td, PRIV_VFS_MOUNTOWNER)) != 0) + if ((error = priv_check(td, PRIV_VFS_MOUNT_OWNER)) != 0) return (error); } return (0); ==== //depot/projects/trustedbsd/priv/sys/kern/vfs_syscalls.c#3 (text+ko) ==== @@ -3892,7 +3892,7 @@ if (error) goto out; if (td->td_ucred->cr_uid != vattr.va_uid) { - error = priv_check_cred(td->td_ucred, PRIV_VFS_REVOKE, + error = priv_check_cred(td->td_ucred, PRIV_VFS_ADMIN, SUSER_ALLOWJAIL); if (error) goto out; ==== //depot/projects/trustedbsd/priv/sys/netinet/raw_ip.c#3 (text+ko) ==== @@ -605,6 +605,9 @@ inp = sotoinpcb(so); KASSERT(inp == NULL, ("rip_attach: inp != NULL")); + /* + * XXXRW: Centralize privilege decision in kern_jail.c. + */ if (jailed(td->td_ucred) && !jail_allow_raw_sockets) return (EPERM); error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, ==== //depot/projects/trustedbsd/priv/sys/netinet6/in6_src.c#3 (text+ko) ==== @@ -773,7 +773,8 @@ last = ipport_hilastauto; lastport = &pcbinfo->lasthi; } else if (inp->inp_flags & INP_LOWPORT) { - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL); if (error) return error; first = ipport_lowfirstauto; /* 1023 */ ==== //depot/projects/trustedbsd/priv/sys/netinet6/ipsec.c#3 (text+ko) ==== @@ -1225,9 +1225,11 @@ /* * XXXRW: Can we avoid caching the privilege decision here, and * instead cache the credential? + * + * XXXRW: Why is suser_allowjail set here? */ if (so->so_cred != NULL && priv_check_cred(so->so_cred, - PRIV_NETINET_IPSEC, SUSER_ALLOWJAIL) == 0) + PRIV_NETINET_IPSEC, 0) == 0) new->priv = 1; else new->priv = 0; ==== //depot/projects/trustedbsd/priv/sys/netinet6/udp6_usrreq.c#3 (text+ko) ==== @@ -435,7 +435,8 @@ struct inpcb *inp; int error; - error = priv_check(req->td, PRIV_NETINET_GETCRED); + error = priv_check_cred(req->td->td_ucred, PRIV_NETINET_GETCRED, + SUSER_ALLOWJAIL); if (error) return (error); ==== //depot/projects/trustedbsd/priv/sys/netipsec/ipsec_osdep.h#3 (text+ko) ==== @@ -215,11 +215,12 @@ * NetBSD (1.6N) tests (so)->so_uid == 0). * This difference is wrapped inside the IPSEC_PRIVILEGED_SO() macro. * + * XXXRW: Why was this suser_allowjail? */ #ifdef __FreeBSD__ #define IPSEC_IS_PRIVILEGED_SO(_so) \ ((_so)->so_cred != NULL && \ - priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSECSUSER_ALLOWJAIL) \ + priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \ == 0) #endif /* __FreeBSD__ */ ==== //depot/projects/trustedbsd/priv/sys/security/mac_portacl/mac_portacl.c#3 (text+ko) ==== @@ -428,7 +428,8 @@ mtx_unlock(&rule_mtx); if (error != 0 && mac_portacl_suser_exempt != 0) - error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, 0); + error = priv_check_cred(cred, PRIV_NETINET_RESERVEDPORT, + SUSER_ALLOWJAIL); return (error); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609091006.k89A6q5Q025934>