diff options
| author | Robert Watson <rwatson@FreeBSD.org> | 2000-06-04 04:28:31 +0000 |
|---|---|---|
| committer | Robert Watson <rwatson@FreeBSD.org> | 2000-06-04 04:28:31 +0000 |
| commit | 7cadc2663e77373c6aa646c06f75cb7705329842 (patch) | |
| tree | 19aa5bf4a1f35db5b690dbfdd07f864a1436a12d | |
| parent | a6cb9949a731955ca4a27553ae714ca42fa187ee (diff) | |
| download | src-7cadc2663e77373c6aa646c06f75cb7705329842.tar.gz src-7cadc2663e77373c6aa646c06f75cb7705329842.zip | |
o Modify jail to limit creation of sockets to UNIX domain sockets,
TCP/IP (v4) sockets, and routing sockets. Previously, interaction
with IPv6 was not well-defined, and might be inappropriate for some
environments. Similarly, sysctl MIB entries providing interface
information also give out only addresses from those protocol domains.
For the time being, this functionality is enabled by default, and
toggleable using the sysctl variable jail.socket_unixiproute_only.
In the future, protocol domains will be able to determine whether or
not they are ``jail aware''.
o Further limitations on process use of getpriority() and setpriority()
by jailed processes. Addresses problem described in kern/17878.
Reviewed by: phk, jmg
Notes
Notes:
svn path=/head/; revision=61235
| -rw-r--r-- | sys/kern/kern_jail.c | 9 | ||||
| -rw-r--r-- | sys/kern/kern_resource.c | 18 | ||||
| -rw-r--r-- | sys/kern/uipc_socket.c | 9 | ||||
| -rw-r--r-- | sys/sys/jail.h | 1 |
4 files changed, 31 insertions, 6 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 90c9aa81a7d7..af18a5e68854 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -34,6 +34,11 @@ SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, &jail_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); +int jail_socket_unixiproute_only = 1; +SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, + &jail_socket_unixiproute_only, 0, + "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); + int jail(p, uap) struct proc *p; @@ -126,7 +131,9 @@ prison_if(struct proc *p, struct sockaddr *sa) struct sockaddr_in *sai = (struct sockaddr_in*) sa; int ok; - if (sai->sin_family != AF_INET) + if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) + ok = 1; + else if (sai->sin_family != AF_INET) ok = 0; else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr)) ok = 1; diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c index 2c6478d075cb..11039adf0ea5 100644 --- a/sys/kern/kern_resource.c +++ b/sys/kern/kern_resource.c @@ -88,6 +88,8 @@ getpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; low = p->p_nice; break; @@ -99,7 +101,7 @@ getpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - if (p->p_nice < low) + if ((PRISON_CHECK(curp, p) && p->p_nice < low)) low = p->p_nice; } break; @@ -109,7 +111,8 @@ getpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who && + if (PRISON_CHECK(curp, p) && + p->p_ucred->cr_uid == uap->who && p->p_nice < low) low = p->p_nice; break; @@ -148,6 +151,8 @@ setpriority(curp, uap) p = pfind(uap->who); if (p == 0) break; + if (!PRISON_CHECK(curp, p)) + break; error = donice(curp, p, uap->prio); found++; break; @@ -160,8 +165,10 @@ setpriority(curp, uap) else if ((pg = pgfind(uap->who)) == NULL) break; LIST_FOREACH(p, &pg->pg_members, p_pglist) { - error = donice(curp, p, uap->prio); - found++; + if (PRISON_CHECK(curp, p)) { + error = donice(curp, p, uap->prio); + found++; + } } break; } @@ -170,7 +177,8 @@ setpriority(curp, uap) if (uap->who == 0) uap->who = curp->p_ucred->cr_uid; LIST_FOREACH(p, &allproc, p_list) - if (p->p_ucred->cr_uid == uap->who) { + if (p->p_ucred->cr_uid == uap->who && + PRISON_CHECK(curp, p)) { error = donice(curp, p, uap->prio); found++; } diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 76495e19244f..73138112e1ca 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -53,6 +53,7 @@ #include <sys/signalvar.h> #include <sys/sysctl.h> #include <sys/uio.h> +#include <sys/jail.h> #include <vm/vm_zone.h> #include <machine/limits.h> @@ -133,6 +134,14 @@ socreate(dom, aso, type, proto, p) prp = pffindproto(dom, proto, type); else prp = pffindtype(dom, type); + + if (p->p_prison && jail_socket_unixiproute_only && + prp->pr_domain->dom_family != PF_LOCAL && + prp->pr_domain->dom_family != PF_INET && + prp->pr_domain->dom_family != PF_ROUTE) { + return (EPROTONOSUPPORT); + } + if (prp == 0 || prp->pr_usrreqs->pru_attach == 0) return (EPROTONOSUPPORT); if (prp->pr_type != type) diff --git a/sys/sys/jail.h b/sys/sys/jail.h index a9e98611d4e5..0d07b6cae1cd 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -47,6 +47,7 @@ struct prison { * Sysctl-set variables that determine global jail policy */ extern int jail_set_hostname_allowed; +extern int jail_socket_unixiproute_only; #endif /* !_KERNEL */ #endif /* !_SYS_JAIL_H_ */ |