From owner-freebsd-hackers@FreeBSD.ORG Sun May 28 15:25:12 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 407C516B67B for ; Sun, 28 May 2006 15:25:12 +0000 (UTC) (envelope-from dwmalone@maths.tcd.ie) Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 84A1043D58 for ; Sun, 28 May 2006 15:25:11 +0000 (GMT) (envelope-from dwmalone@maths.tcd.ie) Received: from walton.maths.tcd.ie ([134.226.81.10] helo=walton.maths.tcd.ie) by salmon.maths.tcd.ie with SMTP id ; 28 May 2006 16:25:10 +0100 (BST) Date: Sun, 28 May 2006 16:25:10 +0100 From: David Malone To: Anatoli Klassen Message-ID: <20060528152510.GA39279@walton.maths.tcd.ie> References: <4479A99E.8080708@aksoft.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4479A99E.8080708@aksoft.net> User-Agent: Mutt/1.5.6i Sender: dwmalone@maths.tcd.ie Cc: freebsd-hackers@freebsd.org Subject: Re: security.bsd.see_other_uids for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 15:25:15 -0000 On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote: > if security.bsd.see_other_uids is set to 0, users from the main system > can still see processes from jails if they have (by accident) the save uid. > > For me it's wrong behavior because the main system and the jail are two > different systems where uids are independent. You could try the following (untested) patch to the MAC seeotheruid module. You'd need to compile a kernel with the MAC option and then: kldload mac_seeotheruids sysctl security.mac.seeotheruids.enabled=1 sysctl security.mac.seeotheruids.jail_match=1 and I think it will do what you want. The module is very simple, so if it doesn't quite do what you want, then you may be able to tweak it to get what you want. David. Index: sys/security/mac_seeotheruids/mac_seeotheruids.c =================================================================== RCS file: /cvs/FreeBSD-CVS/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v retrieving revision 1.8 diff -u -r1.8 mac_seeotheruids.c --- sys/security/mac_seeotheruids/mac_seeotheruids.c 30 Sep 2005 23:41:10 -0000 1.8 +++ sys/security/mac_seeotheruids/mac_seeotheruids.c 28 May 2006 14:57:24 -0000 @@ -105,6 +105,29 @@ SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW, &specificgid, 0, "Specific gid to be exempt from seeotheruids policy"); +/* + * Restriction: Unprivileged users outside jail cannot see jailed processes, + * unprivileged users in a jail can only see processes in the same jail. + */ +static int jail_match = 0; +SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, jail_match, + CTLFLAG_RW, &jail_match, 0, "Allow access only when in the same jail"); + +static int +mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) { + + if (!jail_match) + return (0); + + if (u1->cr_prison == NULL && u2->cr_prison == NULL) + return (0); + + if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison) + return (0); + + return (ESRCH); +} + static int mac_seeotheruids_check(struct ucred *u1, struct ucred *u2) { @@ -113,7 +136,8 @@ return (0); if (primarygroup_enabled) { - if (u1->cr_rgid == u2->cr_rgid) + if (u1->cr_rgid == u2->cr_rgid && + mac_seeotheruids_prison_check(u1, u2) == 0) return (0); } @@ -122,7 +146,8 @@ return (0); } - if (u1->cr_ruid == u2->cr_ruid) + if (u1->cr_ruid == u2->cr_ruid && + mac_seeotheruids_prison_check(u1, u2) == 0) return (0); if (suser_privileged) {