Re: security.bsd.see_other_uids for jails

From: John Baldwin <jhb@xxxxxxxxxxx>
Date: Wed, 31 May 2006 15:03:58 -0400

On Sunday 28 May 2006 11:25, David Malone wrote:

On Sun, May 28, 2006 at 03:46:06PM +0200, Anatoli Klassen wrote:

if security.bsd.see_other_uids is set to 0, users from the main system
can still see processes from jails if they have (by accident) the save

uid.

For me it's wrong behavior because the main system and the jail are two
different systems where uids are independent.

You could try the following (untested) patch to the MAC seeotheruid
module. You'd need to compile a kernel with the MAC option and then:

kldload mac_seeotheruids
sysctl security.mac.seeotheruids.enabled=1
sysctl security.mac.seeotheruids.jail_match=1

and I think it will do what you want. The module is very simple, so
if it doesn't quite do what you want, then you may be able to tweak
it to get what you want.

David.

Index: sys/security/mac_seeotheruids/mac_seeotheruids.c
===================================================================
+static int
+mac_seeotheruids_prison_check(struct ucred *u1, struct ucred *u2) {
+
+ if (!jail_match)
+ return (0);
+
+ if (u1->cr_prison == NULL && u2->cr_prison == NULL)
+ return (0);
+
+ if (u1->cr_prison != NULL && u1->cr_prison == u2->cr_prison)
+ return (0);
+
+ return (ESRCH);
+}

Mostly off-topic, but couldn't you simplify the logic here slightly:

{
if (!jail_match)
return (0);

if (u1->cr_prison == u2->cr_prison)
return (0);

return (ESRCH);
}

--
John Baldwin
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: security.bsd.see_other_uids for jails
  - From: David Malone

References:
- security.bsd.see_other_uids for jails
  - From: Anatoli Klassen
- Re: security.bsd.see_other_uids for jails
  - From: David Malone

Prev by Date: Re: dump(8) performance
Next by Date: Re: [patch] Adding optimized kernel copying support - Part III
Previous by thread: Re: security.bsd.see_other_uids for jails
Next by thread: Re: security.bsd.see_other_uids for jails
Index(es):
- Date
- Thread

Relevant Pages

Re: jail and chflags [patch]
... +> I have several situations where I use jails, but I also need to allow ... +> processes to do 'chflags'. ... +> I trust these jailed processes, as I'm using jails to allow different ... Maybe we rename sysctl name to ...
(freebsd-current)
Re: FreeBSD 7.0 jail and Samba 3
... as I said I didn't read it all) or b) enable raw sockets in jails ... FreeBSDhost# sysctl -a | grep raw_sockets ...
(freebsd-questions)