Date: Sat, 20 Jun 2009 14:50:32 +0000 (UTC) From: Ed Schouten <ed@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r194532 - in head/sys: fs/devfs kern sys Message-ID: <200906201450.n5KEoWfi078819@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ed Date: Sat Jun 20 14:50:32 2009 New Revision: 194532 URL: http://svn.freebsd.org/changeset/base/194532 Log: Improve nested jail awareness of devfs by handling credentials. Now that we start to use credentials on character devices more often (because of MPSAFE TTY), move the prison-checks that are in place in the TTY code into devfs. Instead of strictly comparing the prisons, use the more common prison_check() function to compare credentials. This means that pseudo-terminals are only visible in devfs by processes within the same jail and parent jails. Even though regular users in parent jails can now interact with pseudo-terminals from child jails, this seems to be the right approach. These processes are also capable of interacting with the jailed processes anyway, through signals for example. Reviewed by: kib, rwatson (older version) Modified: head/sys/fs/devfs/devfs_vnops.c head/sys/kern/tty.c head/sys/sys/priv.h Modified: head/sys/fs/devfs/devfs_vnops.c ============================================================================== --- head/sys/fs/devfs/devfs_vnops.c Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/fs/devfs/devfs_vnops.c Sat Jun 20 14:50:32 2009 (r194532) @@ -48,6 +48,7 @@ #include <sys/file.h> #include <sys/filedesc.h> #include <sys/filio.h> +#include <sys/jail.h> #include <sys/kernel.h> #include <sys/lock.h> #include <sys/malloc.h> @@ -706,6 +707,22 @@ devfs_kqfilter_f(struct file *fp, struct return (error); } +static inline int +devfs_prison_check(struct devfs_dirent *de, struct ucred *tcr) +{ + struct cdev_priv *cdp; + struct ucred *dcr; + + cdp = de->de_cdp; + if (cdp == NULL) + return (0); + dcr = cdp->cdp_c.si_cred; + if (dcr == NULL) + return (0); + + return (prison_check(tcr, dcr)); +} + static int devfs_lookupx(struct vop_lookup_args *ap, int *dm_unlock) { @@ -831,6 +848,9 @@ devfs_lookupx(struct vop_lookup_args *ap return (ENOENT); } + if (devfs_prison_check(de, td->td_ucred)) + return (ENOENT); + if ((cnp->cn_nameiop == DELETE) && (flags & ISLASTCN)) { error = VOP_ACCESS(dvp, VWRITE, cnp->cn_cred, td); if (error) @@ -1106,6 +1126,8 @@ devfs_readdir(struct vop_readdir_args *a KASSERT(dd->de_cdp != (void *)0xdeadc0de, ("%s %d\n", __func__, __LINE__)); if (dd->de_flags & DE_WHITEOUT) continue; + if (devfs_prison_check(dd, ap->a_cred)) + continue; if (dd->de_dirent->d_type == DT_DIR) de = dd->de_dir; else Modified: head/sys/kern/tty.c ============================================================================== --- head/sys/kern/tty.c Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/kern/tty.c Sat Jun 20 14:50:32 2009 (r194532) @@ -219,13 +219,6 @@ ttydev_open(struct cdev *dev, int oflags struct tty *tp = dev->si_drv1; int error = 0; - /* Disallow access when the TTY belongs to a different prison. */ - if (dev->si_cred != NULL && - dev->si_cred->cr_prison != td->td_ucred->cr_prison && - priv_check(td, PRIV_TTY_PRISON)) { - return (EPERM); - } - tty_lock(tp); if (tty_gone(tp)) { /* Device is already gone. */ Modified: head/sys/sys/priv.h ============================================================================== --- head/sys/sys/priv.h Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/sys/priv.h Sat Jun 20 14:50:32 2009 (r194532) @@ -211,7 +211,6 @@ #define PRIV_TTY_DRAINWAIT 251 /* Set tty drain wait time. */ #define PRIV_TTY_DTRWAIT 252 /* Set DTR wait on tty. */ #define PRIV_TTY_EXCLUSIVE 253 /* Override tty exclusive flag. */ -#define PRIV_TTY_PRISON 254 /* Can open pts across jails. */ #define PRIV_TTY_STI 255 /* Simulate input on another tty. */ #define PRIV_TTY_SETA 256 /* Set tty termios structure. */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906201450.n5KEoWfi078819>