git: d40c6fa7db7d - stable/13 - cr_canseejailproc(): New privilege, no direct check for UID 0

From: Olivier Certner <olce_at_FreeBSD.org>
Date: Thu, 21 Dec 2023 13:43:22 UTC
The branch stable/13 has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=d40c6fa7db7d36d5c5f00648a73f17b273ab6bcb

commit d40c6fa7db7d36d5c5f00648a73f17b273ab6bcb
Author:     Olivier Certner <olce.freebsd@certner.fr>
AuthorDate: 2023-08-17 23:54:37 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2023-12-21 13:36:00 +0000

    cr_canseejailproc(): New privilege, no direct check for UID 0
    
    Use priv_check_cred() with a new privilege (PRIV_SEEJAILPROC) instead of
    explicitly testing for UID 0 (the former has been the rule for almost 20
    years).
    
    As a consequence, cr_canseejailproc() now abides by the
    'security.bsd.suser_enabled' sysctl and MAC policies.
    
    Update the MAC policies Biba and LOMAC, and prison_priv_check() so that
    they don't deny this privilege.  This preserves the existing behavior
    (the 'root' user is not restricted, even when jailed, unless
    'security.bsd.suser_enabled' is not 0) and is consistent with what is
    done for the related policies/privileges (PRIV_SEEOTHERGIDS,
    PRIV_SEEOTHERUIDS).
    
    Reviewed by:            emaste (earlier version), mhorne
    Sponsored by:           Kumacom SAS
    Differential Revision:  https://reviews.freebsd.org/D40626
    
    (cherry picked from commit 7974ca1cdbee949f5e453eea112be265b425c407)
    
    Approved by:    markj (mentor)
---
 sys/kern/kern_jail.c               | 1 +
 sys/kern/kern_prot.c               | 7 +++++--
 sys/security/mac_biba/mac_biba.c   | 1 +
 sys/security/mac_lomac/mac_lomac.c | 1 +
 sys/sys/priv.h                     | 1 +
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index d03612e43c52..9a9371f8591d 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3614,6 +3614,7 @@ prison_priv_check(struct ucred *cred, int priv)
 		 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:
 
 		/*
 		 * Jail implements inter-process debugging limits already, so
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index a405acfee433..8b56ba3f8846 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -1428,9 +1428,12 @@ SYSCTL_INT(_security_bsd, OID_AUTO, see_jail_proc, CTLFLAG_RW,
 int
 cr_canseejailproc(struct ucred *u1, struct ucred *u2)
 {
-	if (u1->cr_uid == 0)
+	if (see_jail_proc || /* Policy deactivated. */
+	    u1->cr_prison == u2->cr_prison || /* Same jail. */
+	    priv_check_cred(u1, PRIV_SEEJAILPROC) == 0) /* Privileged. */
 		return (0);
-	return (!see_jail_proc && u1->cr_prison != u2->cr_prison ? ESRCH : 0);
+
+	return (ESRCH);
 }
 
 /*-
diff --git a/sys/security/mac_biba/mac_biba.c b/sys/security/mac_biba/mac_biba.c
index b175e57b2812..2d0df254f94c 100644
--- a/sys/security/mac_biba/mac_biba.c
+++ b/sys/security/mac_biba/mac_biba.c
@@ -1924,6 +1924,7 @@ biba_priv_check(struct ucred *cred, int priv)
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:
 		break;
 
 	/*
diff --git a/sys/security/mac_lomac/mac_lomac.c b/sys/security/mac_lomac/mac_lomac.c
index 8cd9fcf190c6..761214db07e4 100644
--- a/sys/security/mac_lomac/mac_lomac.c
+++ b/sys/security/mac_lomac/mac_lomac.c
@@ -1692,6 +1692,7 @@ lomac_priv_check(struct ucred *cred, int priv)
 	 */
 	case PRIV_SEEOTHERGIDS:
 	case PRIV_SEEOTHERUIDS:
+	case PRIV_SEEJAILPROC:
 		break;
 
 	/*
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index e0e8d98f294a..9e6d876be874 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -105,6 +105,7 @@
 #define	PRIV_CRED_SETRESGID	58	/* setresgid. */
 #define	PRIV_SEEOTHERGIDS	59	/* Exempt bsd.seeothergids. */
 #define	PRIV_SEEOTHERUIDS	60	/* Exempt bsd.seeotheruids. */
+#define	PRIV_SEEJAILPROC        61      /* Exempt from bsd.see_jail_proc. */
 
 /*
  * Debugging privileges.