aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOlivier Certner <olce.freebsd@certner.fr>2023-08-17 23:54:38 +0000
committerMitchell Horne <mhorne@FreeBSD.org>2023-10-18 17:59:51 +0000
commit7e21c691f295b3babc8c57c0aeafa19faf1371b6 (patch)
tree037f2113404f3693df85bcd4316a0f566fe87f1c
parent768fe23009877b42a9f45b0ca9e9c05f9db76649 (diff)
downloadsrc-7e21c691f295.tar.gz
src-7e21c691f295.zip
Fix 'security.bsd.see_jail_proc' by using cr_bsd_visible()
As implemented, this security policy would only prevent seeing processes in sub-jails, but would not prevent sending signals to, changing priority of or debugging processes in these, enabling attacks where unprivileged users could tamper with random processes in sub-jails in particular circumstances (conflated UIDs) despite the policy being enforced. Approved by: re (gjb) PR: 272092 Reviewed by: mhorne Sponsored by: Kumacom SAS Differential Revision: https://reviews.freebsd.org/D40628 (cherry picked from commit 5817169bc4a06a35aa5ef7f5ed18f6cb35037e18) (cherry picked from commit abfcae344feb89c635616769d12150f84c96c003)
-rw-r--r--sys/kern/kern_prot.c25
-rw-r--r--sys/netinet/in_prot.c4
2 files changed, 8 insertions, 21 deletions
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 1e6073b554e4..648c067dc528 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1471,11 +1471,7 @@ cr_cansee(struct ucred *u1, struct ucred *u2)
if ((error = mac_cred_check_visible(u1, u2)))
return (error);
#endif
- if ((error = cr_canseeotheruids(u1, u2)))
- return (error);
- if ((error = cr_canseeothergids(u1, u2)))
- return (error);
- if ((error = cr_canseejailproc(u1, u2)))
+ if ((error = cr_bsd_visible(u1, u2)))
return (error);
return (0);
}
@@ -1536,9 +1532,7 @@ cr_cansignal(struct ucred *cred, struct proc *proc, int signum)
if ((error = mac_proc_check_signal(cred, proc, signum)))
return (error);
#endif
- if ((error = cr_canseeotheruids(cred, proc->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(cred, proc->p_ucred)))
+ if ((error = cr_bsd_visible(cred, proc->p_ucred)))
return (error);
/*
@@ -1653,10 +1647,9 @@ p_cansched(struct thread *td, struct proc *p)
if ((error = mac_proc_check_sched(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
+
if (td->td_ucred->cr_ruid != p->p_ucred->cr_ruid &&
td->td_ucred->cr_uid != p->p_ucred->cr_ruid) {
error = priv_check(td, PRIV_SCHED_DIFFCRED);
@@ -1723,9 +1716,7 @@ p_candebug(struct thread *td, struct proc *p)
if ((error = mac_proc_check_debug(td->td_ucred, p)))
return (error);
#endif
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
- return (error);
- if ((error = cr_canseeothergids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
/*
@@ -1815,9 +1806,7 @@ cr_canseesocket(struct ucred *cred, struct socket *so)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, so->so_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, so->so_cred))
+ if (cr_bsd_visible(cred, so->so_cred))
return (ENOENT);
return (0);
@@ -1847,7 +1836,7 @@ p_canwait(struct thread *td, struct proc *p)
#endif
#if 0
/* XXXMAC: This could have odd effects on some shells. */
- if ((error = cr_canseeotheruids(td->td_ucred, p->p_ucred)))
+ if ((error = cr_bsd_visible(td->td_ucred, p->p_ucred)))
return (error);
#endif
diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 222e39c6bcd2..204f4f60456e 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -67,9 +67,7 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
if (error)
return (error);
#endif
- if (cr_canseeotheruids(cred, inp->inp_cred))
- return (ENOENT);
- if (cr_canseeothergids(cred, inp->inp_cred))
+ if (cr_bsd_visible(cred, inp->inp_cred))
return (ENOENT);
return (0);