diff options
| author | Olivier Certner <olce.freebsd@certner.fr> | 2023-08-17 23:54:38 +0000 |
|---|---|---|
| committer | Olivier Certner <olce@FreeBSD.org> | 2023-12-21 13:36:17 +0000 |
| commit | 9a4a7e5fb6e901e81c8e64a988358ad4b59464a5 (patch) | |
| tree | cd09e9cfe329c6993547a7c76f09f3e6f5ed85bd | |
| parent | 0dafeb5bc874d79907cc25b3c8dc14f9ed55b396 (diff) | |
| download | src-9a4a7e5fb6e901e81c8e64a988358ad4b59464a5.tar.gz src-9a4a7e5fb6e901e81c8e64a988358ad4b59464a5.zip | |
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
As implemented, this security policy would only prevent seeing processes
in sub-jails, but would not prevent sending signals to, changing
priority of or debugging processes in these, enabling attacks where
unprivileged users could tamper with random processes in sub-jails in
particular circumstances (conflated UIDs) despite the policy being
enforced.
PR: 272092
Reviewed by: mhorne
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40628
(cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18)
Approved by: markj (mentor)
| -rw-r--r-- | sys/kern/kern_prot.c | 25 | ||||
| -rw-r--r-- | sys/netinet/in_prot.c | 4 |
2 files changed, 8 insertions, 21 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 8118afd4d366..7f196a446315 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -1473,11 +1473,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2) if ((error = mac_cred_check_visible(u1, u2))) return (error); #endif - if ((error = cr_canseeotheruids(u1, u2))) - return (error); - if ((error = cr_canseeothergids(u1, u2))) - return (error); - if ((error = cr_canseejailproc(u1, u2))) + if ((error = cr_bsd_visible(u1, u2))) return (error); return (0); } @@ -1538,9 +1534,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum) if ((error = mac_proc_check_signal(cred, proc, signum))) return (error); #endif - if ((error = cr_canseeotheruids(cred, proc->p_ucred))) - return (error); - if ((error = cr_canseeothergids(cred, proc->p_ucred))) + if ((error = cr_bsd_visible(cred, proc->p_ucred))) return (error); /* @@ -1655,10 +1649,9 @@ p_cansched(struct thread *td, struct proc *p) if ((error = mac_proc_check_sched(td->td_ucred, p))) return (error); #endif - if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) - return (error); - if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) + if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); + if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid && td->td_ucred->cr_uid != p->p_ucred->cr_ruid) { error = priv_check(td, PRIV_SCHED_DIFFCRED); @@ -1725,9 +1718,7 @@ p_candebug(struct thread *td, struct proc *p) if ((error = mac_proc_check_debug(td->td_ucred, p))) return (error); #endif - if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) - return (error); - if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred))) + if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); /* @@ -1819,9 +1810,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so) if (error) return (error); #endif - if (cr_canseeotheruids(cred, so->so_cred)) - return (ENOENT); - if (cr_canseeothergids(cred, so->so_cred)) + if (cr_bsd_visible(cred, so->so_cred)) return (ENOENT); return (0); @@ -1851,7 +1840,7 @@ p_canwait(struct thread *td, struct proc *p) #endif #if 0 /* XXXMAC: This could have odd effects on some shells. */ - if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred))) + if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred))) return (error); #endif diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c index 222e39c6bcd2..204f4f60456e 100644 --- a/sys/netinet/in_prot.c +++ b/sys/netinet/in_prot.c @@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) if (error) return (error); #endif - if (cr_canseeotheruids(cred, inp->inp_cred)) - return (ENOENT); - if (cr_canseeothergids(cred, inp->inp_cred)) + if (cr_bsd_visible(cred, inp->inp_cred)) return (ENOENT); return (0); |