Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 31 May 2006 15:03:58 -0400
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-hackers@freebsd.org
Cc:        David Malone <dwmalone@maths.tcd.ie>, Anatoli Klassen <anatoli@aksoft.net>
Subject:   Re: security.bsd.see_other_uids for jails
Message-ID:  <200605311503.58402.jhb@freebsd.org>
In-Reply-To: <20060528152510.GA39279@walton.maths.tcd.ie>
References:  <4479A99E.8080708@aksoft.net> <20060528152510.GA39279@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sunday 28 May 2006 11:25, David Malone wrote:
> On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
> > if security.bsd.see_other_uids is set to 0, users from the main system 
> > can still see processes from jails if they have (by accident) the save 
uid.
> > 
> > For me it's wrong behavior because the main system and the jail are two 
> > different systems where uids are independent.
> 
> You could try the following (untested) patch to the MAC seeotheruid
> module. You'd need to compile a kernel with the MAC option and then:
> 
> 	kldload mac_seeotheruids
> 	sysctl security.mac.seeotheruids.enabled=1
> 	sysctl security.mac.seeotheruids.jail_match=1
> 
> and I think it will do what you want. The module is very simple, so
> if it doesn't quite do what you want, then you may be able to tweak
> it to get what you want.
> 
> 	David.
> 
> 
> Index: sys/security/mac_seeotheruids/mac_seeotheruids.c
> ===================================================================
> +static int
> +mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) {
> +
> +	if (!jail_match)
> +		return (0);
> +
> +	if (u1->cr_prison == NULL && u2->cr_prison == NULL)
> +		return (0);
> +
> +	if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison)
> +		return (0);
> +
> +	return (ESRCH);
> +}

Mostly off-topic, but couldn't you simplify the logic here slightly:

{
	if (!jail_match)
		return (0);

	if (u1->cr_prison == u2->cr_prison)
		return (0);

	return (ESRCH);
}

-- 
John Baldwin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605311503.58402.jhb>