From owner-freebsd-hackers@FreeBSD.ORG Wed May 31 20:04:34 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20F1216A654 for ; Wed, 31 May 2006 20:04:34 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (66-23-211-162.clients.speedfactory.net [66.23.211.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D6F543D45 for ; Wed, 31 May 2006 20:04:33 +0000 (GMT) (envelope-from jhb@freebsd.org) Received: from [131.106.61.215] (72-255-64-171.client.stsn.net [72.255.64.171]) (authenticated bits=0) by server.baldwin.cx (8.13.4/8.13.4) with ESMTP id k4VK4JZA071799; Wed, 31 May 2006 16:04:24 -0400 (EDT) (envelope-from jhb@freebsd.org) From: John Baldwin To: freebsd-hackers@freebsd.org Date: Wed, 31 May 2006 15:03:58 -0400 User-Agent: KMail/1.9.1 References: <4479A99E.8080708@aksoft.net> <20060528152510.GA39279@walton.maths.tcd.ie> In-Reply-To: <20060528152510.GA39279@walton.maths.tcd.ie> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605311503.58402.jhb@freebsd.org> X-Virus-Scanned: ClamAV 0.87.1/1503/Wed May 31 14:10:00 2006 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-4.2 required=4.2 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server.baldwin.cx Cc: David Malone , Anatoli Klassen Subject: Re: security.bsd.see_other_uids for jails X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 May 2006 20:04:35 -0000 On Sunday 28 May 2006 11:25, David Malone wrote: > On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote: > > if security.bsd.see_other_uids is set to 0, users from the main system > > can still see processes from jails if they have (by accident) the save uid. > > > > For me it's wrong behavior because the main system and the jail are two > > different systems where uids are independent. > > You could try the following (untested) patch to the MAC seeotheruid > module. You'd need to compile a kernel with the MAC option and then: > > kldload mac_seeotheruids > sysctl security.mac.seeotheruids.enabled=1 > sysctl security.mac.seeotheruids.jail_match=1 > > and I think it will do what you want. The module is very simple, so > if it doesn't quite do what you want, then you may be able to tweak > it to get what you want. > > David. > > > Index: sys/security/mac_seeotheruids/mac_seeotheruids.c > =================================================================== > +static int > +mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) { > + > + if (!jail_match) > + return (0); > + > + if (u1->cr_prison == NULL && u2->cr_prison == NULL) > + return (0); > + > + if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison) > + return (0); > + > + return (ESRCH); > +} Mostly off-topic, but couldn't you simplify the logic here slightly: { if (!jail_match) return (0); if (u1->cr_prison == u2->cr_prison) return (0); return (ESRCH); } -- John Baldwin