From owner-svn-src-all@FreeBSD.ORG Sat Jun 20 14:50:32 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9719A1065674; Sat, 20 Jun 2009 14:50:32 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 84BA98FC1A; Sat, 20 Jun 2009 14:50:32 +0000 (UTC) (envelope-from ed@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5KEoW8j078823; Sat, 20 Jun 2009 14:50:32 GMT (envelope-from ed@svn.freebsd.org) Received: (from ed@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5KEoWfi078819; Sat, 20 Jun 2009 14:50:32 GMT (envelope-from ed@svn.freebsd.org) Message-Id: <200906201450.n5KEoWfi078819@svn.freebsd.org> From: Ed Schouten Date: Sat, 20 Jun 2009 14:50:32 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r194532 - in head/sys: fs/devfs kern sys X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jun 2009 14:50:33 -0000 Author: ed Date: Sat Jun 20 14:50:32 2009 New Revision: 194532 URL: http://svn.freebsd.org/changeset/base/194532 Log: Improve nested jail awareness of devfs by handling credentials. Now that we start to use credentials on character devices more often (because of MPSAFE TTY), move the prison-checks that are in place in the TTY code into devfs. Instead of strictly comparing the prisons, use the more common prison_check() function to compare credentials. This means that pseudo-terminals are only visible in devfs by processes within the same jail and parent jails. Even though regular users in parent jails can now interact with pseudo-terminals from child jails, this seems to be the right approach. These processes are also capable of interacting with the jailed processes anyway, through signals for example. Reviewed by: kib, rwatson (older version) Modified: head/sys/fs/devfs/devfs_vnops.c head/sys/kern/tty.c head/sys/sys/priv.h Modified: head/sys/fs/devfs/devfs_vnops.c ============================================================================== --- head/sys/fs/devfs/devfs_vnops.c Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/fs/devfs/devfs_vnops.c Sat Jun 20 14:50:32 2009 (r194532) @@ -48,6 +48,7 @@ #include #include #include +#include #include #include #include @@ -706,6 +707,22 @@ devfs_kqfilter_f(struct file *fp, struct return (error); } +static inline int +devfs_prison_check(struct devfs_dirent *de, struct ucred *tcr) +{ + struct cdev_priv *cdp; + struct ucred *dcr; + + cdp = de->de_cdp; + if (cdp == NULL) + return (0); + dcr = cdp->cdp_c.si_cred; + if (dcr == NULL) + return (0); + + return (prison_check(tcr, dcr)); +} + static int devfs_lookupx(struct vop_lookup_args *ap, int *dm_unlock) { @@ -831,6 +848,9 @@ devfs_lookupx(struct vop_lookup_args *ap return (ENOENT); } + if (devfs_prison_check(de, td->td_ucred)) + return (ENOENT); + if ((cnp->cn_nameiop == DELETE) && (flags & ISLASTCN)) { error = VOP_ACCESS(dvp, VWRITE, cnp->cn_cred, td); if (error) @@ -1106,6 +1126,8 @@ devfs_readdir(struct vop_readdir_args *a KASSERT(dd->de_cdp != (void *)0xdeadc0de, ("%s %d\n", __func__, __LINE__)); if (dd->de_flags & DE_WHITEOUT) continue; + if (devfs_prison_check(dd, ap->a_cred)) + continue; if (dd->de_dirent->d_type == DT_DIR) de = dd->de_dir; else Modified: head/sys/kern/tty.c ============================================================================== --- head/sys/kern/tty.c Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/kern/tty.c Sat Jun 20 14:50:32 2009 (r194532) @@ -219,13 +219,6 @@ ttydev_open(struct cdev *dev, int oflags struct tty *tp = dev->si_drv1; int error = 0; - /* Disallow access when the TTY belongs to a different prison. */ - if (dev->si_cred != NULL && - dev->si_cred->cr_prison != td->td_ucred->cr_prison && - priv_check(td, PRIV_TTY_PRISON)) { - return (EPERM); - } - tty_lock(tp); if (tty_gone(tp)) { /* Device is already gone. */ Modified: head/sys/sys/priv.h ============================================================================== --- head/sys/sys/priv.h Sat Jun 20 14:16:41 2009 (r194531) +++ head/sys/sys/priv.h Sat Jun 20 14:50:32 2009 (r194532) @@ -211,7 +211,6 @@ #define PRIV_TTY_DRAINWAIT 251 /* Set tty drain wait time. */ #define PRIV_TTY_DTRWAIT 252 /* Set DTR wait on tty. */ #define PRIV_TTY_EXCLUSIVE 253 /* Override tty exclusive flag. */ -#define PRIV_TTY_PRISON 254 /* Can open pts across jails. */ #define PRIV_TTY_STI 255 /* Simulate input on another tty. */ #define PRIV_TTY_SETA 256 /* Set tty termios structure. */