Re: security.bsd.see_other_uids for jails
- From: David Malone <dwmalone@xxxxxxxxxxxx>
- Date: Sun, 28 May 2006 16:25:10 +0100
On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:
if security.bsd.see_other_uids is set to 0, users from the main system
can still see processes from jails if they have (by accident) the save uid.
For me it's wrong behavior because the main system and the jail are two
different systems where uids are independent.
You could try the following (untested) patch to the MAC seeotheruid
module. You'd need to compile a kernel with the MAC option and then:
kldload mac_seeotheruids
sysctl security.mac.seeotheruids.enabled=1
sysctl security.mac.seeotheruids.jail_match=1
and I think it will do what you want. The module is very simple, so
if it doesn't quite do what you want, then you may be able to tweak
it to get what you want.
David.
Index: sys/security/mac_seeotheruids/mac_seeotheruids.c
===================================================================
RCS file: /cvs/FreeBSD-CVS/src/sys/security/mac_seeotheruids/mac_seeotheruids.c,v
retrieving revision 1.8
diff -u -r1.8 mac_seeotheruids.c
--- sys/security/mac_seeotheruids/mac_seeotheruids.c 30 Sep 2005 23:41:10 -0000 1.8
+++ sys/security/mac_seeotheruids/mac_seeotheruids.c 28 May 2006 14:57:24 -0000
@@ -105,6 +105,29 @@
SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, specificgid, CTLFLAG_RW,
&specificgid, 0, "Specific gid to be exempt from seeotheruids policy");
+/*
+ * Restriction: Unprivileged users outside jail cannot see jailed processes,
+ * unprivileged users in a jail can only see processes in the same jail.
+ */
+static int jail_match = 0;
+SYSCTL_INT(_security_mac_seeotheruids, OID_AUTO, jail_match,
+ CTLFLAG_RW, &jail_match, 0, "Allow access only when in the same jail");
+
+static int
+mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) {
+
+ if (!jail_match)
+ return (0);
+
+ if (u1->cr_prison == NULL && u2->cr_prison == NULL)
+ return (0);
+
+ if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison)
+ return (0);
+
+ return (ESRCH);
+}
+
static int
mac_seeotheruids_check(struct ucred *u1, struct ucred *u2)
{
@@ -113,7 +136,8 @@
return (0);
if (primarygroup_enabled) {
- if (u1->cr_rgid == u2->cr_rgid)
+ if (u1->cr_rgid == u2->cr_rgid &&
+ mac_seeotheruids_prison_check(u1, u2) == 0)
return (0);
}
@@ -122,7 +146,8 @@
return (0);
}
- if (u1->cr_ruid == u2->cr_ruid)
+ if (u1->cr_ruid == u2->cr_ruid &&
+ mac_seeotheruids_prison_check(u1, u2) == 0)
return (0);
if (suser_privileged) {
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: security.bsd.see_other_uids for jails
- From: John Baldwin
- Re: security.bsd.see_other_uids for jails
- From: Anatoli Klassen
- Re: security.bsd.see_other_uids for jails
- References:
- security.bsd.see_other_uids for jails
- From: Anatoli Klassen
- security.bsd.see_other_uids for jails
- Prev by Date: Re: security.bsd.see_other_uids for jails
- Next by Date: Pagedaemon and shared memory [was: Heavy system load by pagedaemon].
- Previous by thread: Re: security.bsd.see_other_uids for jails
- Next by thread: Re: security.bsd.see_other_uids for jails
- Index(es):
Relevant Pages
|
|
