Date: Sun, 28 May 2006 16:25:10 +0100 From: David Malone <dwmalone@maths.tcd.ie> To: Anatoli Klassen <anatoli@aksoft.net> Cc: freebsd-hackers@freebsd.org Subject: Re: security.bsd.see_other_uids for jails Message-ID: <20060528152510.GA39279@walton.maths.tcd.ie> In-Reply-To: <4479A99E.8080708@aksoft.net> References: <4479A99E.8080708@aksoft.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
> if security.bsd.see_other_uids is set to 0, users from the main system
> can still see processes from jails if they have (by accident) the save uid.
>
> For me it's wrong behavior because the main system and the jail are two
> different systems where uids are independent.
You could try the following (untested) patch to the MAC seeotheruid
module. You'd need to compile a kernel with the MAC option and then:
kldload mac_seeotheruids
sysctl security.mac.seeotheruids.enabled=1
sysctl security.mac.seeotheruids.jail_match=1
and I think it will do what you want. The module is very simple, so
if it doesn't quite do what you want, then you may be able to tweak
it to get what you want.
David.
Index: sys/security/mac_seeotheruids/mac_seeotheruids.c
===================================================================
RCS file: /cvs/FreeBSD-CVS/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
retrieving revision 1.8
diff -u -r1.8 mac_seeotheruids.c
--- sys/security/mac_seeotheruids/mac_seeotheruids.c 30 Sep 2005 23:41:10 -0000 1.8
+++ sys/security/mac_seeotheruids/mac_seeotheruids.c 28 May 2006 14:57:24 -0000
@@ -105,6 +105,29 @@
SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
&specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
+/*
+ * Restriction: Unprivileged users outside jail cannot see jailed processes,
+ * unprivileged users in a jail can only see processes in the same jail.
+ */
+static int jail_match = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, jail_match,
+ CTLFLAG_RW, &jail_match, 0, "Allow access only when in the same jail");
+
+static int
+mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) {
+
+ if (!jail_match)
+ return (0);
+
+ if (u1->cr_prison == NULL && u2->cr_prison == NULL)
+ return (0);
+
+ if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison)
+ return (0);
+
+ return (ESRCH);
+}
+
static int
mac_seeotheruids_check(struct ucred *u1, struct ucred *u2)
{
@@ -113,7 +136,8 @@
return (0);
if (primarygroup_enabled) {
- if (u1->cr_rgid == u2->cr_rgid)
+ if (u1->cr_rgid == u2->cr_rgid &&
+ mac_seeotheruids_prison_check(u1, u2) == 0)
return (0);
}
@@ -122,7 +146,8 @@
return (0);
}
- if (u1->cr_ruid == u2->cr_ruid)
+ if (u1->cr_ruid == u2->cr_ruid &&
+ mac_seeotheruids_prison_check(u1, u2) == 0)
return (0);
if (suser_privileged) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060528152510.GA39279>